Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!HPLB.HPL.HP.COM!rhc From: rhc@HPLB.HPL.HP.COM (Robert Cole) Newsgroups: comp.protocols.iso Subject: Re: kerberos and the ISO protocol standards Message-ID: <8912180928.AA07892@rcole.hpl.hp.com> Date: 18 Dec 89 09:28:15 GMT References: <8912150831.AA21377@asylum.sf.ca.us> Sender: usenet@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 57 > It is too bad that the "standards" efforts going on in the > communications area are not codifying tried-and-true experience -- > which I assert is the proper and correct role of "standards" activity. > Instead it seems that the so-called standards groups insist on > performing reasearch. > What is wrong with "standardizing" Kerberos? A standard only provides > a clear statement of the workings and interfaces of a mechanism -- it > is not an endorsement that it is the best way to solve a problem. If > two people then chose to use it, they then have a common frame of > refererence. And they will be able to get on with whatever larger job > they have at hand. > Again, I believe that the "standards" groups are suffering from a very > serious, and very expensive case of "not invented here". > --karl-- You seem to be fairly convinced that standards makers are all luddites, no doubt you have been attending too many standards meetings. However I will try to explain why input to standards gets changed, and why it is not as expensive as you would believe. First, you must realise that having more than one standard for anything is as bad as having no standard. A manufacturer will have to support all standards in a product. Lets imagine there are 3 standards for screw threads, one metric and two imperial. Then a nut manufacturer has to meet all three standards in all sizes of nuts, regardless of demand! The same would be true if there were several authentication standards. If you sold a product requiring the use of authentication you would have to asupport use of all the standards because you could not anticipate which authentication standard your customers authentication server would use at any time. Clearly this is expensive and you know who will pay. Given that only one standard will be acceptable, you then have to decide on it in a democratic manner. There are two pressures on a standard: 1. from those with existing activity in the area, I am fairly confident that Kerberos is not the only authentication system which has vested interests; 2. from those who want to see the standard somewhat future-proof by making the standard more general than any individual application would seem to warrant. Given that any input to a standard must be from a vested interest with a limited application, or from a theoretical standpoint looking for generality you can see that if democratic principles are to apply then there must be compromises. Consequently you cannot have back what you first thought of. I hope you agree that democracy and economics are best served by a single standard that meets the perceived needs of the widest community. Have a happy Christmas, Robert.