Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼

Embrace, Extend, Extinguish: Three Strikes And You're Out

Aug00: Editorial

At just about any gathering of Microsoft employees, Mensa cards are as common as canapés and Ph.D. sheepskins are as numerous as napkins. Which makes you wonder how a company so replete with smart people can do so many dumb things.

For instance, whose bright idea was it to try to turn the open Kerberos security standard into a proprietary specification, then unleash lawyers on anyone who discussed it? The story goes like this: When implementing security for Windows 2000, Microsoft settled on the Kerberos user authentication and session key distribution system. Based on work done more than 20 years ago, Kerberos is well known, understood, and generally considered a solid system. In the spirit of its strategy to "embrace, extend, and extinguish" open standards, however, Microsoft extended Kerberos with undocumented proprietary features in an effort to prevent interoperability -- one of Kerberos's strong suites. Specifically, the Windows 2000 Kerberos implementation makes use of an undefined field to store authorization data. This field was intentionally left undefined by Kerberos's authors so that vendors (like Microsoft) could implement customized versions. The upshot in this case is that, although Microsoft claims otherwise, nonMicrosoft servers can't access the security features of Windows 2000, making it difficult (if not impossible) for nonMicrosoft versions of Kerberos to work on networks that have Windows 2000 desktops and nonMicrosoft servers. Strike one.

Microsoft tried to weasel out by splitting syntactical hairs, particularly in its definition of "interoperable." According to Microsoft, Kerberos interoperability addresses only the authentication process, which is clearly defined in the open specification. Microsoft went on to contend that interoperability does not involve authorization, which is where the data field comes into play. Microsoft is open about this: If you want access rights to Windows 2000 applications, the operating system has to process its own authorization.

Kerberos proponents had scarcely yelled "foul" before government antitrust lawyers were all over Microsoft like a cheap suit. However, the day before a government court brief was filed, Microsoft blinked -- well, sort of. What the company did was call into play the old trade-secrets/intellectual-property gambit and required everyone reading the spec to sign a nondisclosure agreement that barred reproduction or redistribution of the information. But according to Clifford Neuman, senior researcher at the University of Southern California, principal author of the original MIT version of Kerberos, and editor of the Internet Engineering Task Force's Kerberos standard document, Microsoft's trade-secret claim is balderdash, since he first described the scheme in 1993 (see ftp://ftp.isi.edu/in-notes/rfc1510.txt). Considering the status of antitrust procedures at the time, you have to wonder who came up with the NDA tactic, since it again opened the door for critics charging that Microsoft leverages monopoly powers to force people to use its servers. Strike two.

As if all this wasn't odious enough, when derogatory comments about Microsoft's approach to Kerberos cropped up on Slashdot (http://www.slashdot.org/), the best idea the Microsoft brain trust could come up with was censorship. Using the Digital Millennium Copyright Act (a smelly piece of law bought and paid for by the entertainment industry), Microsoft tried to coerce Slashdot into removing reader posts on its web site, citing "unauthorized reproductions of Microsoft's copyrighted work." Strike three.

To its credit, Slashdot stood up to Microsoft and refused to take down the posts. Believing the best defense is a good offense, Slashdot lawyers fired back a series of questions of their own to Microsoft lawyers, questioning the basis of the company's claims and charges. At this writing, Slashdot hasn't heard back from Microsoft's lawyers. A Microsoft spokesperson has told us that Slashdot chose not to address the points that Microsoft raised and that Microsoft will not speculate on any further action at this time.

Let's be clear on one thing: Microsoft's customization of the authorization placeholder field is entirely legitimate. Others, including the OSF with its DCE specification, have customized Kerberos in a similar manner. What's at issue here isn't Microsoft's Kerberos extensions, but the company's disingenuous ownership claims, onerous licensing policies, and bullying tactics. In an effort to clean up the sour milk Microsoft has spilt, Clifford Neuman is drafting a proposal to include in the specification a list of identifiers across different systems -- including Windows 2000 -- in a generic manner, along the lines he described in 1993.

Microsoft doesn't have a monopoly on dumb ideas; witness the adoption of the Uniform Computer Information Transactions Act (UCITA), Digital Millennium Copyright Act, and the like. Unfortunately, large organizations often foster stupidity because responsible individuals can hide behind the anonymity of faceless committees and hired public-relation flacks. And in these kinds of environments, it is just as sad that good ideas often go unacknowledged and unrewarded.

Jonathan Erickson

[email protected]

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.