Archive for November, 2007

Sticking Everyone in a Room

Friday, November 30th, 2007 by hartmans

This week we started an experiment to try and improve team work and get people involved in each others’ projects. We stuck everyone in a conference room from 11 to 4 on Tuesday. However it wasn’t a meeting, it was a work session. Preliminary results from the first instance were very positive. We were all working on presentations for the upcoming consortium board meeting, and it proved an excellent opportunity to confirm that various presentations were consistent with each other. Another group of people was working on understanding how to effectively use our new project management tool. Still a third group was working on the website. People floated back and forth between these groups. I will be interested to see how this works when people are working on more technical than administrative issues.

Opening Kerberos Policies and Development

Friday, November 23rd, 2007 by hartmans

I mentioned shortly after the consortium launch that one of the tasks on our plate was to open up MIT Kerberos as a project. We had some promising initial meetings but I needed to put together a proposal with some concrete policies. I’ve taken a stab at that. In particular I’m proposing to create K5Wiki, a place to coordinate activities related to MIT Kerberos Development. We already have a thriving mailing list culture for discussing things. We don’t have a good way to make public documents such as project proposals, project designs, release time lines and roadmaps available. I hope that this wiki can accomplish some of that. Other efforts are under way to make available details of what consortium staff are working on at least for members of the consortium. Together these two efforts will significantly improve transparency.

Currently K5Wiki is a proposal I’m making to the community. We’ll have a discussion on and see whether the community likes it. If not, I hope someone has good ideas for alternatives.

New Phishing draft Published

Tuesday, November 20th, 2007 by hartmans

A new version of my phishing draft is out. This draft significantly improves the discussion of the threat model based on comments I’ve received. It also I’ve tried to distinguish between two uses of passwords: passwords as a user interface element and plaintext passwords send as a protocol element. The first is a necessity if we’re going to meet users’ needs; the second must be avoided.

RFC 5056 Published

Tuesday, November 20th, 2007 by hartmans


I wrote about the challenge of securing high-performance connections in NFS. One of the technologies that will be important to making that working is channel binding. You perform some application layer authentication and then bind it to a high performance cryptographic channel at a lower layer. The framework document describing how channel binding works has been published.

The document describes channel binding as a concept and gives requirements for how to use lower level cryptographic channels such as IPsec. The document doesn’t define specific details of any given channel but does outline what would need to be done. Work is on going in the BTNS working group of the IETF to specify this for IPsec.

The document goes on to discuss how applications can use these channels. The SASL working group has defined a binding for GSS-API binding that supports channel binding. That has been a good validation of the design.
We will also work on using this in NFS, which should continue to validate the approach.
I’m very excited at the progress we’ve made with this concept.