Hector Santos <hsantos(_at_)santronics(_dot_)com> writes:
2) There is a licensing issue, and unless it is already licensed by the
OS and offered as an API entry point, adding this to your software is a
costly endeavor. Again see #1
There is no licensing requirement for Kerberos. There are multiple
interoperating free software (not even GPL'd) implementations and the
protocol is an IETF standard.
I support a Kerberos SMTP AUTH extension proposal, if only as another
There's no need for any such proposal. RFC 4752 has been a proposed
standard for five years.
If one wanted to put together a more comprehensive framework, there may
need to be a new standard governing what specific principal names should
be used by SMTP services and how to handle the (very serious) cross-realm
trust issues, but that's another matter entirely and doesn't require any
changes to the SMTP protocol.
#1) Kerberos is deemed much stronger largely due to its client/server
time synchronization dependency.
The time synchronization requirement for Kerberos is nowhere near as
strong as you seem to think it is.
I think it's a poor fit for this problem space for the reasons pointed out
by Keith Moore, but some of these objections seem to come from a serious
lack of understanding of what Kerberos is, how it integrates with SMTP,
and how it works.
Russ Allbery (rra(_at_)stanford(_dot_)edu)