Hello,
 
Speaking of being picky, the DCE Security Service is *based* on
Kerberos, but at the present time, there are serious interoperability
issues. For example, my last build of kinit using the V5BETA4 source
from MIT could not get a TGT without modifications because of
difference in ASN.1 encoding.
 
Also, the DCE Security Service includes the Privilege Service which
makes extensive use of the authorization-data field of the ticket to
provide PACs and EPACs; generic Kerberos really only addresses
name-based authorization.
 
The OSF has talked about full interoperability in the future, but at
the present time it doesn't seem to be there.
 
The result is that depending upon your DCE vendor and any
customizations to the MIT code, you might be able to have Kerberos and
DCE get along.
 
Of course, if you just want the functionality, then DCE on the HP3000
is a great solution. It provides the all the services of Kerberos -
strong mutual authentication, data integrity, and data privacy - plus
the authorization model based on ACLs. Best of all, this is fully
integrated into the RPC mechanism so developing and deploying highly
secure applications is straightforward and intuitive.
 
Joe-Bob says check it out.
 
Paul Lloyd
Hewlett-Packard Corporate Network Services
415-424-3704
[log in to unmask]