Loading ...
Sorry, an error occurred while loading the content.

Re: [decentralization] Good news for decentralization?

Expand Messages
  • Dave Winer
    I just got off the phone with Chris Payne and Hal Howard from Microsoft, and think I can clarify. Today s announcement is about Kerberos only. They said that
    Message 1 of 20 , Sep 20 12:17 PM
    • 0 Attachment
      I just got off the phone with Chris Payne and Hal Howard from Microsoft, and
      think I can clarify.

      Today's announcement is about Kerberos only. They said that at this level
      their system is open, meaning that users can choose a different server from
      Microsoft's to manage their identity.

      Higher level issues, schema for user data, and protocols for connecting
      desktop apps to clouds are not being discussed now; however they said that
      they would be released with a similar philosophy.

      They may have patents, and if they have them they will use them.

      WSDL, UDDI and SOAP are the underpinnings of the next level(s) up.

      We had a long wide-ranging discussion of what open means, and what level of
      choice will be necessary for independent developers to be willing to invest
      in Microsoft's new platform.

      Happy to answer questions if I have the info.

      Dave
    • Dave Winer
      Sorry I didn t get this until after the call. To your first question, it appears that s not a problem because they re using Kerberos, which is (they say)
      Message 2 of 20 , Sep 20 12:19 PM
      • 0 Attachment
        Sorry I didn't get this until after the call.

        To your first question, it appears that's not a problem because they're
        using Kerberos, which is (they say) interoperable and available in lots of
        server environments.

        To the latter question, they would probably ask if Mozilla supports
        Kerberos.

        Dave


        ----- Original Message -----
        From: "Brian Behlendorf" <brian@...>
        To: <decentralization@yahoogroups.com>
        Sent: Thursday, September 20, 2001 11:49 AM
        Subject: Re: [decentralization] Good news for decentralization?


        >
        > Don't forget to ask about people running *other* profile servers, again
        > without Microsoft software. It's not just about the profile-based service
        > providers, but about independent user databases as well.
        >
        > Ask about what barriers will exist to implementing any required
        > client-side in Mozilla.
        >
        > Brian
        >
        > On Thu, 20 Sep 2001, Dave Winer wrote:
        > > I've listed my questions on Scripting News:
        > >
        > > http://scriptingnews.userland.com/backissues/2001/09/20
        > >
        > > "My key question will be user choice and developer lock-in. Will I be
        able
        > > to connect to Microsoft's users without running any Microsoft software
        on my
        > > end. Will users have choice? Will they be able to completely replace
        > > Microsoft's server with mine? Does my system have to support UDDI and
        WSDL,
        > > or is SOAP enough? Does Microsoft have any patents in this area which
        might
        > > limit competition? In general, how much opportunity is there for
        > > competition, and what assurances do we have that Microsoft won't change
        the
        > > basic behavior later, as they did with Smart Tags?"
        > >
        > > Dave
        > >
        > >
        > > ----- Original Message -----
        > > From: "Dave Winer" <dave@...>
        > > To: <decentralization@yahoogroups.com>
        > > Sent: Thursday, September 20, 2001 9:37 AM
        > > Subject: Re: [decentralization] Good news for decentralization?
        > >
        > >
        > > > BTW, I'm doing a conf call with Microsoft people at 11AM. If people
        have
        > > > questions, let me know. I want to figure out what this means too. Dave
        > > >
        > > >
        > > > ----- Original Message -----
        > > > From: "Lucas Gonze" <lucas@...>
        > > > To: <decentralization@yahoogroups.com>
        > > > Sent: Thursday, September 20, 2001 9:22 AM
        > > > Subject: RE: [decentralization] Good news for decentralization?
        > > >
        > > >
        > > > > Questions for Dave Stutz:
        > > > >
        > > > > Dave --
        > > > >
        > > > > Is this just a formalization of the policy you mentioned way back
        when,
        > > > that
        > > > > Kerberos federations were a possibility?
        > > > >
        > > > > How large does a node how to be to be a federation member? Can an
        ISP
        > > > join?
        > > > > Can paranoid individuals with an always-on home connection join?
        > > > >
        > > > > - Lucas
        > > > >
        > > > > > From: Dave Winer [mailto:dave@...]
        > > > > > NY Times [2]: "Microsoft says its software must operate with other
        > > kinds
        > > > of
        > > > > > online authentication software if Internet commerce is to develop
        > > > rapidly.
        > > > > > Microsoft executives said they wanted to avoid a rerun of the
        early
        > > days
        > > > of
        > > > > > automated teller machines, before common standards and a sense of
        > > trust,
        > > > > > when each major bank had its own stand-alone network."
        > > > >
        > > > >
        > > > > To unsubscribe from this group, send an email to:
        > > > > decentralization-unsubscribe@egroups.com
        > > > >
        > > > >
        > > > >
        > > > > Your use of Yahoo! Groups is subject to
        > > http://docs.yahoo.com/info/terms/
        > > > >
        > > > >
        > > >
        > > >
        > > > To unsubscribe from this group, send an email to:
        > > > decentralization-unsubscribe@egroups.com
        > > >
        > > >
        > > >
        > > > Your use of Yahoo! Groups is subject to
        http://docs.yahoo.com/info/terms/
        > > >
        > > >
        > >
        > >
        > > To unsubscribe from this group, send an email to:
        > > decentralization-unsubscribe@egroups.com
        > >
        > >
        > >
        > > Your use of Yahoo! Groups is subject to
        http://docs.yahoo.com/info/terms/
        > >
        > >
        >
        > --
        > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        > CollabNet | open source | do what's right
        >
        >
        >
        > To unsubscribe from this group, send an email to:
        > decentralization-unsubscribe@egroups.com
        >
        >
        >
        > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
        >
        >
      • rahul@reno.cis.upenn.edu
        ... This may or may not be then useful depending on how they are planning to support GSS-API Tokens (see ftp://ftp.isi.edu/in-notes/rfc1964.txt) over http,
        Message 3 of 20 , Sep 20 12:42 PM
        • 0 Attachment
          >
          > I just got off the phone with Chris Payne and Hal Howard from Microsoft, and
          > think I can clarify.
          >
          > Today's announcement is about Kerberos only. They said that at this level
          > their system is open, meaning that users can choose a different server from
          > Microsoft's to manage their identity.
          >
          > Higher level issues, schema for user data, and protocols for connecting
          > desktop apps to clouds are not being discussed now; however they said that
          > they would be released with a similar philosophy.
          >
          This may or may not be then useful depending on how they are planning to
          support GSS-API Tokens
          (see ftp://ftp.isi.edu/in-notes/rfc1964.txt)

          over http, these tokens being byte size based. The way I understood it was that
          there would be an XML or http header representation for the GSS-API or direct
          kerberos constructs, but these are under their control. Presumably the
          microsoft servers will support GSS over TCP, but thats completely useless
          to a web developer who wants a HTTP header or XML-SOAP access API.

          So I remain sceptical about thre being any content at all in today's
          announcement.
          Rahul
        • Wesley Felter
          ... In other words, if you aren t willing to reuse code, you won t be able to support Kerb5 within the next few years, because it s not nearly as simple as
          Message 4 of 20 , Sep 20 12:50 PM
          • 0 Attachment
            On Thu, 20 Sep 2001 rahul@... wrote:

            > > Today's announcement is about Kerberos only. They said that at this level
            > > their system is open, meaning that users can choose a different server from
            > > Microsoft's to manage their identity.
            >
            > This may or may not be then useful depending on how they are planning to
            > support GSS-API Tokens
            > (see ftp://ftp.isi.edu/in-notes/rfc1964.txt)
            >
            > over http, these tokens being byte size based. The way I understood it was that
            > there would be an XML or http header representation for the GSS-API or direct
            > kerberos constructs, but these are under their control. Presumably the
            > microsoft servers will support GSS over TCP, but thats completely useless
            > to a web developer who wants a HTTP header or XML-SOAP access API.

            In other words, if you aren't willing to reuse code, you won't be able to
            support Kerb5 within the next few years, because it's not nearly as simple
            as HTTP.

            Wesley Felter - wesley@... - http://felter.org/wesley/
          • rahul@reno.cis.upenn.edu
            ... Wes, Could you elaborate? One would think that any API supportable over TCP could be supported over HTTP, albeit in a hackneyed way (for example, add a
            Message 5 of 20 , Sep 20 1:45 PM
            • 0 Attachment
              > >
              > > This may or may not be then useful depending on how they are planning to
              > > support GSS-API Tokens
              > > (see ftp://ftp.isi.edu/in-notes/rfc1964.txt)
              > >
              > > over http, these tokens being byte size based. The way I understood it was that
              > > there would be an XML or http header representation for the GSS-API or direct
              > > kerberos constructs, but these are under their control. Presumably the
              > > microsoft servers will support GSS over TCP, but thats completely useless
              > > to a web developer who wants a HTTP header or XML-SOAP access API.
              >
              > In other words, if you aren't willing to reuse code, you won't be able to
              > support Kerb5 within the next few years, because it's not nearly as simple
              > as HTTP.
              >
              > Wesley Felter - wesley@... - http://felter.org/wesley/

              Wes,
              Could you elaborate? One would think that any API supportable over
              TCP could be supported over HTTP, albeit in a hackneyed way (for example,
              add a header to identify a structure and 3 headers for each member,
              one for encoding/type, one for length, and one for a possibly base64'ed
              string representation. Horrible but doable.

              On the other hand, kerberos is conceptually very simple..and the basic
              aspects could be implemented in cookie like headers and simple SOAP calls.
              It wouldnt be kerberos, but something similar. Leaving out the bootstrap
              to the initial shared keys (or asymmetric keys if thats how you like it),
              you'd need a combined authentication and ticket granting server with
              roughly(conceptually) the following API:
              authenticate(username, encrypted_authenticator_token(eat))

              (eat here encrypted with asymm key, or preagreed symm)
              and then

              authenticateTo(username, another eat, ticket_granting,ticket,service)

              (eat here encrypted with session key to auth server)

              The first would return a ticket granting ticket and a session key for the
              authserver, locked
              by the users permanent key, and
              and the second a ticket to the service lokled by the service's key and including a session key for the service, and the seesion key)

              And then each service would need to support a getAuth method:

              getAuth(username, another eat, service_ticket)

              (eat encypted by service specific session key, included in the service ticket)

              The implementation needs lot of care, ofcourse, but the idea is simple..
              Rahul
            • Brian Behlendorf
              ... What a bunch of hooey. Do *they* support Kerberos? The answer is no - they support an incompatible technology which happens to share some lineage with
              Message 6 of 20 , Sep 20 4:34 PM
              • 0 Attachment
                On Thu, 20 Sep 2001, Dave Winer wrote:
                > To your first question, it appears that's not a problem because they're
                > using Kerberos, which is (they say) interoperable and available in lots of
                > server environments.
                >
                > To the latter question, they would probably ask if Mozilla supports
                > Kerberos.

                What a bunch of hooey. Do *they* support Kerberos? The answer is no -
                they support an incompatible technology which happens to share some
                lineage with Kerberos, and because no one trademarked the term Kerberos to
                protect the standard, they're allowed to abuse the name to give themselves
                credit where none is due. The changes they did make are documented, but
                in order to get them you have to click-agree to a rather obscene license.
                I can't even see the license because the "document" is a .exe.

                Unless the discussion today was about releasing those modifications and
                allowing for independent implementation?

                Brian
              • Dave Winer
                ... Brian, that kind of stuff happens all the time. It s hard to keep a standard from being attacked and undermined that way. We ve had to fight that in
                Message 7 of 20 , Sep 20 4:44 PM
                • 0 Attachment
                  > What a bunch of hooey. Do *they* support Kerberos? The answer is no -
                  > they support an incompatible technology which happens to share some
                  > lineage with Kerberos, and because no one trademarked the term Kerberos to
                  > protect the standard, they're allowed to abuse the name to give themselves
                  > credit where none is due. The changes they did make are documented, but
                  > in order to get them you have to click-agree to a rather obscene license.
                  > I can't even see the license because the "document" is a .exe.

                  Brian, that kind of stuff happens all the time. It's hard to keep a standard
                  from being attacked and undermined that way.

                  We've had to fight that in XML-RPC, twice, and we lost that kind of a fight
                  in RSS.

                  I'm in total agreement that better trademarks are essential, and so is basic
                  respect for other people's work.

                  I wonder when our industry is going to get a sense of perspective and do
                  some meaningful cooperative work.

                  Dave
                • Michael Herman (Parallelspace)
                  Here s a pointer to the Kerberos FAQ for Windows 2000: http://support.microsoft.com/support/kb/articles/Q266/0/80.ASP The article covers interop, interop
                  Message 8 of 20 , Sep 20 5:03 PM
                  • 0 Attachment
                    Here's a pointer to the Kerberos FAQ for Windows 2000:
                    http://support.microsoft.com/support/kb/articles/Q266/0/80.ASP

                    The article covers interop, interop testing, additional support, etc.

                    Michael.

                    -----Original Message-----
                    From: Brian Behlendorf [mailto:brian@...]
                    Sent: Thursday, September 20, 2001 7:34 PM
                    To: decentralization@yahoogroups.com
                    Subject: Re: [decentralization] Good news for decentralization?


                    On Thu, 20 Sep 2001, Dave Winer wrote:
                    > To your first question, it appears that's not a problem because
                    > they're using Kerberos, which is (they say) interoperable and
                    > available in lots of server environments.
                    >
                    > To the latter question, they would probably ask if Mozilla supports
                    > Kerberos.

                    What a bunch of hooey. Do *they* support Kerberos? The answer is no -
                    they support an incompatible technology which happens to share some
                    lineage with Kerberos, and because no one trademarked the term Kerberos
                    to protect the standard, they're allowed to abuse the name to give
                    themselves credit where none is due. The changes they did make are
                    documented, but in order to get them you have to click-agree to a rather
                    obscene license. I can't even see the license because the "document" is
                    a .exe.

                    Unless the discussion today was about releasing those modifications and
                    allowing for independent implementation?

                    Brian


                    To unsubscribe from this group, send an email to:
                    decentralization-unsubscribe@egroups.com



                    Your use of Yahoo! Groups is subject to
                    http://docs.yahoo.com/info/terms/
                  • Julian Bond
                    Re Kerberos vs MS Kerberos and implications for Maelstrom Openness. http://www.theregister.co.uk/content/4/21792.html In short, it s hard to do authorization
                    Message 9 of 20 , Sep 21 12:24 AM
                    • 0 Attachment
                      Re Kerberos vs MS Kerberos and implications for Maelstrom Openness.
                      http://www.theregister.co.uk/content/4/21792.html

                      "In short, it's hard to do authorization between a Windows server and a
                      non-Windows server, and that seems to be the way Redmond likes it.
                      Nothing in today's announcements changes this in any way, in fact it
                      confirms the Redmond-centric way of doing business on .NET. "

                      --
                      Julian Bond email: julian_bond@...
                      CV/Resume: http://www.voidstar.com/cv/
                      WebLog: http://www.voidstar.com/
                      HomeURL: http://www.shockwav.demon.co.uk/
                      M: +44 (0)77 5907 2173 T: +44 (0)192 0412 433
                      ICQ:33679568 tag:So many words, so little time
                    Your message has been successfully submitted and would be delivered to recipients shortly.