Feeds

Why Microsoft's Open HailStorm promises flatter to deceive

Embrace and extend Pidgin Squadrons flap home to roost

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Today's Hailstorm announcement was cultivated to gain maximum favourable publicity for Microsoft, but Redmond's concessions amount to nothing it hasn't already conceded, in one form or another.

In fact, seasoned watchers including Jeremy Allison - co-lead of the SAMBA project - interpret the "concessions" as extending the requirement for Microsoft's partners to include proprietary technology in their .NET compliant web services.

So what was new, today?

Microsoft promised to include the 'industry standard' Kerberos 5 protocol in Hailstorm, and HailStorm is now officially monikered ".Net My Services", if you .please. Microsoft also said it would open authentication to third party brokers.

A pre-briefed David Coursey at ZDNet was beside himself with joy. It was a "stunning" announcement, he opined. The news that "Passport and other 'federated' services would accept Kerberos 'tickets' supplied by the others," he said, was "good news for Microsoft, the industry, and consumers".

Alas, there's a world of difference between authentication and authorization, and that's at the nub of understanding today's announcement.

An authentication server takes a user name and password, and raises a simple yes/no flag whether the combination fits or not. Authorization actually gives the user rights to the services on offer.

Authorization allows you to use printer Y, or access files from X, or not, and if you're beginning to think that web services without authorization rights are essentially meaningless, then collect $50 and pass go, because you're right on the button.

Not only has this distinction - between authentication and authorization - plagued the tech community for years, but it's one that's already been exploited by The Beast, which has leapt into the open wound with its own proprietary implementation of Kerberos, which is the years-old open standard for authentication.

Here's how.

The Kerberos protocol specifies authentication clearly and simply: you go to a Kerberos server, and get a ticket. The ticket is then presented to an authorization server, which returns it with various access rights allowed. But the Kerberos protocol doesn't cover authorization itself.

This isn't an open standard, and in fact no one can agree on a single way to do it, although everyone agrees not to bugger up the Kerberos ticket with machine-specific details. And so authorization evolved as a DCE (Distributed Computing Environment) standard. When we say that no one has buggered up the ticket, there is, as you might guess, one exception...

"There's no common represenation of a 'user' across all systems, sure, but the idea was that you don't pollute the Kerberos ticket with that local system's idea of what a user is," explains Allison.

"Microsoft's implementation of Kerberos actually wraps the authorization in the ticket," he says.

"They subverted it and put inside a standard ticket. The result was that only tickets issued on Windows 2000 machines could be useful on other Windows 2000 machines, without a lot of a manual mapping, which is a massive pain and is so tedious that no one is ever going to do it."

Readers with long memories will remember the furore when Microsoft documented its Kerberos implementation, and then sent its legal attack dogs round to our friends at Slashdot who hosted postings containing the details of this 'open' implementation.

In short, it's hard to do authorization between a Windows server and a non-Windows server, and that seems to be the way Redmond likes it. Nothing in today's announcements changes this in any way, in fact it confirms the Redmond-centric way of doing business on .NET.

Allison summarizes the politics like this:-

"They're very clever. They know the smallest amount of control they need to leverage monopoly. If you have a server that does authentication and authorization, then you have the equivalent of a Windows Primary Domain Controller, and that's their terror," he says.

"Once someone usurps the PDC they can provide the equivalent of an Active Directory service on Linux," he says, at a fraction of the cost.

And so it returns to the commodity protocols argument, as revealed in the Halloween memos and repeated ad infinitum. Mind you, given the positive spin that the wires have already put on this move, it's halfway to success.

We put a call into Sun, and got this response:-

"Sun believes that many companies should be authenticators, therefore providing open competition for businesses and consumers."

"In the coming weeks, Sun, along with partners such as banks and insurance companies, will offer their own authentication services. It is not, however, our policy to disclose these discussions until there are appropriate and mutually agreed upon details to announce. We have no formal statement at this time."

Hmm. That suggests they're still fixed on the authentication distraction, not the authorization end-run. Hopefully some one can lend them a clue.

Microsoft had not returned our calls at press time.

From the we-told-you-so-Dept:-

"Microsoft's holier-than-thou standards pitch for .Net could be undermined by its insistence on using its own, non-standard version of Kerberos"
- The Register, 27 March 2001.

That's not us, by the way - think of us as straw-sucking hayseeds who don't have a clue, and definitely don't get pre-briefed by the corporate PR machinery - but instead cock a hat to the prescient Mat Hanrahan at analysts Bloor Research. We were just dumb enough to be standing around at the time. Honest. ®

Related Stories
MS proprietary tech undermines Hailstorm
Sun, AOL take MS Hailstorm to the Feds
All your data (and biz plans) belong to Microsoft
Pay-to-Play: Microsoft erects .NET tollgate

Secure remote control for conventional and virtual desktops

More from The Register

next story
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
Torvalds CONFESSES: 'I'm pretty good at alienating devs'
Admits to 'a metric ****load' of mistakes during work with Linux collaborators
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.