Why Microsoft's Open HailStorm promises flatter to deceive
Embrace and extend Pidgin Squadrons flap home to roost
Today's Hailstorm announcement was cultivated to gain maximum favourable publicity for Microsoft, but Redmond's concessions amount to nothing it hasn't already conceded, in one form or another.
In fact, seasoned watchers including Jeremy Allison - co-lead of the SAMBA project - interpret the "concessions" as extending the requirement for Microsoft's partners to include proprietary technology in their .NET compliant web services.
So what was new, today?
Microsoft promised to include the 'industry standard' Kerberos 5 protocol in Hailstorm, and HailStorm is now officially monikered ".Net My Services", if you .please. Microsoft also said it would open authentication to third party brokers.
A pre-briefed David Coursey at ZDNet was beside himself with joy. It was a "stunning" announcement, he opined. The news that "Passport and other 'federated' services would accept Kerberos 'tickets' supplied by the others," he said, was "good news for Microsoft, the industry, and consumers".
Alas, there's a world of difference between authentication and authorization, and that's at the nub of understanding today's announcement.
An authentication server takes a user name and password, and raises a simple yes/no flag whether the combination fits or not. Authorization actually gives the user rights to the services on offer.
Authorization allows you to use printer Y, or access files from X, or not, and if you're beginning to think that web services without authorization rights are essentially meaningless, then collect $50 and pass go, because you're right on the button.
Not only has this distinction - between authentication and authorization - plagued the tech community for years, but it's one that's already been exploited by The Beast, which has leapt into the open wound with its own proprietary implementation of Kerberos, which is the years-old open standard for authentication.
The Kerberos protocol specifies authentication clearly and simply: you go to a Kerberos server, and get a ticket. The ticket is then presented to an authorization server, which returns it with various access rights allowed. But the Kerberos protocol doesn't cover authorization itself.
This isn't an open standard, and in fact no one can agree on a single way to do it, although everyone agrees not to bugger up the Kerberos ticket with machine-specific details. And so authorization evolved as a DCE (Distributed Computing Environment) standard. When we say that no one has buggered up the ticket, there is, as you might guess, one exception...
"There's no common represenation of a 'user' across all systems, sure, but the idea was that you don't pollute the Kerberos ticket with that local system's idea of what a user is," explains Allison.
"Microsoft's implementation of Kerberos actually wraps the authorization in the ticket," he says.
"They subverted it and put inside a standard ticket. The result was that only tickets issued on Windows 2000 machines could be useful on other Windows 2000 machines, without a lot of a manual mapping, which is a massive pain and is so tedious that no one is ever going to do it."
Readers with long memories will remember the furore when Microsoft documented its Kerberos implementation, and then sent its legal attack dogs round to our friends at Slashdot who hosted postings containing the details of this 'open' implementation.
In short, it's hard to do authorization between a Windows server and a non-Windows server, and that seems to be the way Redmond likes it. Nothing in today's announcements changes this in any way, in fact it confirms the Redmond-centric way of doing business on .NET.
Allison summarizes the politics like this:-
"They're very clever. They know the smallest amount of control they need to leverage monopoly. If you have a server that does authentication and authorization, then you have the equivalent of a Windows Primary Domain Controller, and that's their terror," he says.
"Once someone usurps the PDC they can provide the equivalent of an Active Directory service on Linux," he says, at a fraction of the cost.
And so it returns to the commodity protocols argument, as revealed in the Halloween memos and repeated ad infinitum. Mind you, given the positive spin that the wires have already put on this move, it's halfway to success.
We put a call into Sun, and got this response:-
"Sun believes that many companies should be authenticators, therefore providing open competition for businesses and consumers."
"In the coming weeks, Sun, along with partners such as banks and insurance companies, will offer their own authentication services. It is not, however, our policy to disclose these discussions until there are appropriate and mutually agreed upon details to announce. We have no formal statement at this time."
Hmm. That suggests they're still fixed on the authentication distraction, not the authorization end-run. Hopefully some one can lend them a clue.
Microsoft had not returned our calls at press time.
From the we-told-you-so-Dept:-
"Microsoft's holier-than-thou standards pitch for .Net could be undermined by its insistence on using its own, non-standard version of Kerberos"
- The Register, 27 March 2001.
That's not us, by the way - think of us as straw-sucking hayseeds who don't have a clue, and definitely don't get pre-briefed by the corporate PR machinery - but instead cock a hat to the prescient Mat Hanrahan at analysts Bloor Research. We were just dumb enough to be standing around at the time. Honest. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016