[Top] [All Lists]

Re: SMTP Kerberos Considerations

2011-11-02 19:38:46

Hector Santos <hsantos(_at_)santronics(_dot_)com> writes:

2) There is a licensing issue, and unless it is already licensed by the
OS and offered as an API entry point, adding this to your software is a
costly endeavor.  Again see #1

There is no licensing requirement for Kerberos.  There are multiple
interoperating free software (not even GPL'd) implementations and the
protocol is an IETF standard.

I support a Kerberos SMTP AUTH extension proposal, if only as another
AUTH alternative.

There's no need for any such proposal.  RFC 4752 has been a proposed
standard for five years.

If one wanted to put together a more comprehensive framework, there may
need to be a new standard governing what specific principal names should
be used by SMTP services and how to handle the (very serious) cross-realm
trust issues, but that's another matter entirely and doesn't require any
changes to the SMTP protocol.

#1) Kerberos is deemed much stronger largely due to its client/server
time synchronization dependency.

The time synchronization requirement for Kerberos is nowhere near as
strong as you seem to think it is.

I think it's a poor fit for this problem space for the reasons pointed out
by Keith Moore, but some of these objections seem to come from a serious
lack of understanding of what Kerberos is, how it integrates with SMTP,
and how it works.

Russ Allbery (rra(_at_)stanford(_dot_)edu)