March 4th, 2007

Kerberos Pre-authentication

I may have talked about some of this before, but I cannot find the entry. Back in 2004, I wrote a proposal for how to abstract out Kerberos pre-authentication and how to think about the state model. I gave up on that proposal because it seemed too complicated even for me. I understood what state needed to be captured, but did not understand how you could do anything simple within the framework I created. So I reluctantly gave up on the proposal.

Last year, the issue came up again. Larry Zhu, the lead Kerberos developer from Microsoft wanted to put together some way to accomplish some of the same goals I was talking about in 2004. I told him I'd tried to go down that path and found it too complicated; I sent him my old document so he could see what I ran into. He wrote back and said he really liked what I had written and wanted to work on finishing it. I was dubious that I would like the result.

Now, having reviewed what he's doing and having spent a lot of energy working on the proposal, I think he did find a way around my problems. I'm very excited about what we're doing. Also, working with Larry is a lot of fun. This is more enjoyable because it is creating new technical work. So much of what I do in the IETF is review others' work. It is pleasurable to be working on something of my own from time to time.