Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!uunet!stanford.edu!APOLLO.COM!pato
From: pato@APOLLO.COM (Joe Pato)
Newsgroups: comp.protocols.kerberos
Subject: Re: Integrity of MIT source
Message-ID: <9103081659.AA21439@ATHENA.MIT.EDU>
Date: 8 Mar 91 16:40:30 GMT
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Lines: 17


    security audit over the code.  In this respect, vendor release of
    Kerberos are likely to be worse, since you don't get the source code,
    and so you have to take the vendor's word that there are no back doors.
    I, personally, would rather take a look at the source code myself, and
    assure myself that a piece of security-related is code is free of holes,
    accidental or otherwise.

It may be true that a vendor does not release the source code to Kerberos - but
then again the vendor probably also does not release the source code to the OS
or to the login program or any other component of the trusted computing base. 

                    -- Joe Pato
                       Cooperative Computing Division
                       Hewlett-Packard Company
                       pato@apollo.hp.com
-------