KFW road maps for 3.x and 4.x

Jeffrey Altman jaltman at secure-endpoints.com
Thu Apr 26 09:19:41 EDT 2007 

Based upon discussions that Sam and I had yesterday it appears to me
that we want to begin working on KFW along two different tracks.  On one
hand we wish to have a more frequent release schedule to enable new
features and bug fixes to be pushed to the community on a more regular
basis.  Perhaps every two or three months.   Examples of functionality
that falls into this category would be revisions to the krb5 plug-in
infrastructure, PKINIT support, Vista integration improvements, support
for Google Desktop Sidebar, etc. 

On the other hand we have a number of significant changes that we want
to implement that will require architectural changes.  Examples include
the new credential cache infrastructure, Kerberos Identity Management
API, disengagement of Kerberos v4 support, redesign of Leash API (for
backward compatibility) so that v4 libraries become optional, new
compiler platform, dropping of Win2000 support, 64-bit libraries, etc.

I therefore propose that we do both at the same time.  The more frequent
releases will be part of the KFW 3.x series while the longer term
changes requiring architectural redesign be targeted for KFW 4.0.

KFW 3.3/3.4:

* number one priority is PKINIT support.  October 1st is a hard deadline
for
  government agencies.  In speaking with the Navy, they require a Kerberos
  distribution with PKINIT support by July in order to meet that deadline.
  They are prepared to fork the code base to meet that requirement if
necessary.
  However, I have convinced them of the negative consequences and they
would
  prefer to see an MIT release by that date.  

  I will follow-up with another e-mail detailing the PKINIT development
issues.

  I have limited funding to do this work.

* Microsoft Vista LSA Cache Synchronization.  The credentials for the
default
  identity should be pushed into the Vista LSA.  NIM should listen for
Microsoft
  Kerberos notification messages to determine when Windows requires the
original
  identity to be swapped back in. 

  (no funding available but it is crucial to the NIM vision)

* Google Desktop Sidebar Gadget support.  When the Google Desktop
Sidebar is
  displayed, NIM will add itself as a gadget to the sidebar and provide the
  contents of the basic display.  Adding this support will create a
compile time
  dependency on the Google Desktop SDK.  There will be no new run-time
dependencies.

  (no funding available but can be used to leverage interest in NIM by
Google)

* View All Identities mode.   Whether or not an identity has
credentials, is
  the default, or is pinnned, the identity will be listed when this mode is
  active.

  (no funding available)

* Custom icons and notification sounds. [if there is time]

  (no funding available)

Proposed KFW 3.3 Beta July 1st.  Items which cannot be implemented in
time for 3.3 will be in 3.4.  Proposed KFW 3.4 Beta mid-August.

Question:  Is there any money available within MIT to have additional
icons drawn by Joanna Proulx of MIT's Academic Media Production Services? 

KFW 4.0:

* New Credential Cache.  Initial implementation per logon session just
like today.
  This will not address the needs of non-interactive logon sessions or
interactive
  sessions started with "runas".  There is a significant question as to
whether or
  not CCAPI is the correct long term approach on Microsoft Windows.  Our
own LSA
  based credential manager is probably a better architectural design.

* Kerberos Identity Management.  KIM will need to be integrated into
NIM.  The NIM
  krb5 credential provider will require modification to support two sets
of messages
  from KIM.  First, it will need to support a request to display a UI
and/or simply
  return configuration data but not obtain credentials directly. 
Second, it will
  need to be notified that credentials for identity user at FOO were
obtained so that
  the dependent credential providers can be notified.

* Microsoft Windows Vista Widget functionality.   Similar to the Google
Desktop
  Sidebar.  Requires the use of the Vista SDK.

* Removal of Kerberos v4 support.  As of KFW 4.0, there will be no
Kerberos v4
  support.  krbv4w32.dll, kclient.dll, and the NIM krb4 provider will be
  frozen at their last KFW 3.x release and re-packaged as a stand-alone
  installer for those who continue to require its availability.  The
pismere
  versions of the kuser tools and the leashw32 library will need to be
modified
  to conditionally load the v4 libraries.

* Minimum platform requirement is XP SP2.  In order to support the new
credential
  cache, KIM, and Vista widget functionality we must begin using the VS2005
  compiler and the Vista Platform SDK.  As a result, support for Windows
2000 will
  be discontinued.  The KFW 3.x series will be maintained for Windows
2000 support
  if necessary.

Proposed KFW 4.0 Beta during the first half of 2008. 

If this road map is accepted, we should send an announcement to the
community indicating the plans for both Kerberos v4 support and Windows
2000 support.

Jeffrey Altman
Secure Endpoints Inc.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kfwdev/attachments/20070426/a38d603d/attachment.bin

More information about the kfwdev mailing list