Archive for April, 2008

Board Meeting and Roadmap

Friday, April 11th, 2008 by hartmans

Monday, the consortium board met at Google. As I discussed, I presented a plan for the consortium road map. The road map presentation went reasonably well. The board generally seemed to support the road map and they gave useful feedback on ways to improve it. The specifics will be in the board notes, which will come out shortly on the consortium site. However I’d like to point to a few specific changes that need to happen to the road map as a result of the meeting.

It’s power, stupid! The section on mobile devices discusses the mobile environment in terms of CPU, memory and networking. That’s missing the most critical factor to consider when looking at mobile platforms: power consumption. “Oops,” is all I can say. I certainly was aware of the importance of power and of how both network and CPU utilization are an important fact or in power utilization. I just completely failed to talk about it when discussing the road map. That clearly needs to be fixed.

There was an enlightening discussion about the difference between web services interactions and Kerberos interactions. Slava Kavsan pointed out that Kerberos is missing three things that are important in B2B web services environments. There is no policy exchange where the relying party can explain what information it will need from the security infrastructure. The client does not have an opportunity to provide its preferences to the KDC in order to describe what information it wants disclosed. The KDC does not provide different relying parties with different information. Also, there is no standardized format for describing any useful claims about a subject in Kerberos. I touch on some of these issues at IETF 64 in 2005. I think that an interesting question for the consortium will be how to deal with these issues. Is it better to extend Kerberos, or to combine Kerberos with something else? I think that it is important that
if Kerberos is combined it is done in such a way that it works for all GSS applications and for web services. So, extending Kerberos is probably harder. You have to decide when to go get a new ticket and have APIs both in GSS-API and Kerberos for doing that. However some of the application integration may be easier. Combining Kerberos with something else, where Kerberos handles the authentication and some other provider handles assertions about identity may be easier from an API standpoint for web services applications. It seems like you’re going to lose a lot of the flexibility of Kerberos though if you do that. Will you lose the caching of credentials? Will you be able to take advantage of new Kerberos extensions in such a system? I think looking at these issues will be a critical upcoming challenge for the consortium.