Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!cs.utexas.edu!sun-barr!lll-winken!decwrl!shelby!MIT.EDU!jon
From: jon@MIT.EDU (Jon A. Rochlis)
Newsgroups: comp.protocols.kerberos
Subject: Re: kerberos and the ISO protocol standards
Message-ID: <8912141955.AA25301@DELWIN.MIT.EDU>
Date: 14 Dec 89 19:55:01 GMT
References: <891213123233.5280012c@CCC.NMFECC.GOV>
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 26


   From: NESSETT@CCC.NMFECC.GOV
   Message-Id: <891213123233.5280012c@CCC.NMFECC.GOV>
   Subject:   Re: kerberos and the ISO protocol standards
   To: KERBEROS@ATHENA.MIT.EDU

   Implementations of X.509 are in approximately the same stage of
   development as kerberos, although slightly behind.
   
   While the developers of kerberos are to be congratulated for their
   industry and appreciation of the significance of the distributed systems
   security problem, the certificate approach is much more likely than
   kerberos to be used in ISO standards.
   
Certificates have major advantages, it is true.  However the choice of
an asymetric encryption algorithm (i.e. RSA) creates tremendous
legal/financial problems, while the use of DES trumps those.  So far
the only arangements public arrangments with RSADI (who controls the
RSA patent) are for the Internet e-mail keys (at $25 a user / per 2
years).  Nobody knows what arrangments can be had for any other use.
While I believe the RSA problems only apply within the US (and exclude
the government and MIT), that still leaves a lot of people with
serious exposure if they elect to go the X.509 route ... whereas they
can go with Kerberos now and not pay anybody any money.

		-- Jon