Tuesday, December 20, 2005

Kerberos for Windows 3.0 update

Release Candidate 1 of the OpenAFS plug-in for KFW 3.0's Network Identity Manager is now available from the Secure Endpoints web site. https://www.secure-endpoints.com.

This release provides the full set of functionality necessary to manage token acquisition for multiple cells from a single Kerberos 5 principal.

Monday, December 19, 2005

New Daily Builds of OpenAFS for Windows

Today there are new daily builds of OpenAFS for Windows in both 32-bit and 64-bit versions available from http://web.mit.edu/jaltman/Public/OpenAFS/. The builds are dated 20051219.

They include performance improvements when fcrypt is in use and better logging of messages to the Windows Event Log.

Monday, December 5, 2005

MIT Kerberos for Windows 3.0 and Network Identity Manager 1.0 finally ship

Its been a long week but MIT's Kerberos for Windows 3.0 and the NEW Network Identity Manager has finally been shipped. I cannot give enough praise to Asanka for all of his hard work on this project. It would not have happened without him.

Thursday, December 1, 2005

OpenAFS for Windows 1.4.1 RC2 and MIT Kerberos for Windows 3.0 Beta 2

Yesterday was a busy day. OpenAFS for Windows version 1.4.1 RC2 has been announced as well as MIT Kerberos for Windows beta 2.

The OpenAFS release can be downloaded from http://dl.openafs.org/dl/openafs/candidate/1.4.1-rc2/winnt/

The MIT Kerberos release can be downloaded from http://web.mit.edu/kerberos/.

MIT Kerberos for Windows 3.0 marks a turning point in the products history. For the first time, KFW will allow, through the use of the new Network Identity Manager, the ability to manage multiple Kerberos 5 identities at once. The NetIdMgr is based on the Khimaira Identity Management Framework which was described in a talk at the 2005 AFS & Kerberos Best Practices Conference at CMU. A copy of the presentation can be found at: http://www.secure-endpoints.com/talks/AFS-BPW-2005-Khimaira.pdf

The Khimaira framework enables the concepts of "identity" and "credentials" to be managed separately. In the modules shipped with MIT KFW 3.0, a single Kerberos 5 identity manager is included that allows users to maintain identities based upon Kerberos 5 principal names represented by Kerberos 5 Ticket Granting Tickets. Credential Managers are then provided to manage policy and perform intial credential acquisition and renewals for each specific credential type. In KFW 3.0, two Credential Managers are provided, one for Kerberos 5 and one for Kerberos 4. The Kerberos 5 Credential Manager maintains policy such as whether or not TGTs obtained should be forwardable, renewable, with what lifetimes, and whether or not they should be renewed before expiration. The Kerberos 4 credential manager receives notifications whenever a Kerberos 5 TGT is obtained and based upon its policy determines whether or not to generate a Kerberos 4 TGT via krb524d.


Secure Endpoints is providing an AFS Credential Manager that can be used to obtain tokens for an arbitrary number of cells in response to a Kerberos 5 identity being updated with a new TGT.
It is hoped that other organizations will take advantage of this new framework to add support for automated X.509 Certificate Acquisition.