Re: Globus/GSI versus Kerberos - Kerberos

This is a discussion on Re: Globus/GSI versus Kerberos - Kerberos ; >I was curious if anyone has any comments (personal/political/technical) >or could point me to a decent resource comparing Globus versus >Kerberos. I've had to work with Globus quite a bit, and the overall >trend in the existing GSI-based research grids ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Globus/GSI versus Kerberos

  1. Re: Globus/GSI versus Kerberos

    >I was curious if anyone has any comments (personal/political/technical)
    >or could point me to a decent resource comparing Globus versus
    >Kerberos. I've had to work with Globus quite a bit, and the overall
    >trend in the existing GSI-based research grids is to move towards
    >centrally managed cert/key repositories despite the pure GSI notion of
    >keeping everything distributed. There's a handful of new research
    >projects that basically take GSI and add that "centralized" portion,
    >although in my opinion it's starting to resemble a Kerberos
    >architecture.


    Back in 1999 during a meeting about inter-operable authentication (it
    was actually _at_ SDSC, interestingly enough), Globus was just starting
    up (this was back when Legion was still considered a viable alternative
    instead of the PhD generator everyone considers it now). The Globus
    guys gave a presentation on their authentication infrastructure, and
    I pointed out that they had just reinvented a lot of Kerberos, and asked
    them, "How come you guys didn't just use Kerberos?".

    I was given what I can only politely say was a song and dance about
    Kerberos cross-realm being "too tightly bound to each other", and they
    preferred the "looseness" of certificate chaining, whatever that means.

    When I cornered one of the Globus guys and asked him point-blank the
    same question, he told me that in his opinion the decision to do PKI
    was really driven politically from the top, and he thought Kerberos
    made a LOT more sense.

    In a more practical vein, I will note that Sandia uses (or at least
    used to use) Globus with a Kerberos GSSAPI backend instead of the GSI
    backend. This was a few years ago, so I don't know what they're doing
    now. However, they told me that they were still using Globus 1, and
    that doing Globus 2 was going to be a real bear because of the changes
    they made to the GSSAPI layer for Globus 2 (even doing Globus 1 with
    Kerberos required some GSSAPI changes which never made it back to any
    of the open-source distributions). I dunno if they ever went to Globus
    2 or not (I made be remembering the version numbers wrong, but to me
    this was the gist of what Pat Moore told me). This to me illustrates
    one of the problems with the GSSAPI ... to do the real interesting stuff,
    you end up having to dig down into mechanism-specific extensions and
    you lose the "generic" part of GSSAPI.

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Globus/GSI versus Kerberos

    Ken Hornstein wrote:
    > When I cornered one of the Globus guys and asked him point-blank the
    > same question, he told me that in his opinion the decision to do PKI
    > was really driven politically from the top, and he thought Kerberos
    > made a LOT more sense.


    the original pk-init draft for kerberos specified certificateless
    operation
    http://www.garlic.com/~lynn/subpubkey.html#certless

    you basically registered a public key with kerberos in lieu of a
    password and then used digital signature authentication with the onfile
    public key (no PKI and/or digital certificates required).
    http://www.garlic.com/~lynn/subpubkey.html#kerberos

    this was basically an authentication technology upgrade w/o having to
    introduce any new business processes and extraneous infrastructure
    operations.

    it was later that certificate-based operation was added to the kerberos
    pk-init draft.

    i gave a talk on this at the global grid forum #11
    http://www.garlic.com/~lynn/index.html#presentation

    at the meeting there was some debate on kerberos vis-a-vis radius as
    an authentication & authorization business process infrastructure.

    note that in addition to their having been a non-PKI,
    certificate-less
    authentication upgrade for kerberos (using onfile public keys), there
    has been a similar proposal for RADIUS; basically registering public
    keys in lieu of passwords and performing digital signature
    authentication with the onfile public keys.
    http://www.garlic.com/~lynn/subpubkey.html#radius

    Straight forward upgrade of the authentication technology w/o having
    to layer on a separate cumbersome PKI business process.


+ Reply to Thread