April through June 2010
The Kerberos Consortium begun work on the features of MIT Kerberos Release 1.9 (slated for release in December 2010). Notable features include tools to aid in the testing of Kerberos installations and for configuration validations by administrators. Another feature to be added is an automatic lock-out of accounts when a user fails authentication multiple ties. This feature was introduced as response to a request from one of the Members of the MIT Kerberos Consortium from the financial sector.
One significant progress in the evolution of MIT Kerberos will be the introduction of a new architecture for plugins in Rel 1.9, which would allow third-party plugin-developers to add new plugins that implement specific features. This architecture would also help developers in activating or deactivating features of interest when they compile MIT Kerberos as part of their application.
Since the developer and user communities around MIT Kerberos is international in composition, Release 1.9 will include the Camellia encryption algorithm which is popular in Japan and which may soon be mandated by the Japanese government for all products it acquires. This effort was the result of a close working relationship with the NTT software group in Japan.
January through March 2010
In the first Quarter of 2010, the Kerberos Consortium released Kerberos 1.8 with a number of important features requested by our customers and user community. High on the list of features is Crypto Modularity, which was requested by several organizations for government FIPS-140 compliance. This feature allows users to insert/replace our crypto library with their own FIPS-140 compliant library. Another simple (but often overlooked feature) is automatic password lock-out, in which the administrator can tailor the number/frequency of allowable erroneous password entries (leading to users being automatically locked out). Due to the heavy use of Kerberos in the government organizations, another feature added was pre-authentication support. This allows client computers with no previous transactions with the KDC Server to boot-up trust with the KDC by secure establishing the long-term cryptographic key, which is the starting point for the Kerberos authentication protocol. Finally, we have also begun code quality improvements and re-architecting, which is an undertaking that may take several months.
In addition to Rel 1.8, we have also addressed a number of security vulnerabilities found in our previous Rel 1.7. These improvements addressed numerous bugs reported by the user and developer community. As part of this general effort to improve the security quality of the MIT Kerberos code-base, we have also taken some design decisions that would discourage users from deploying weak cryptographic algorithms (such as DES). The improvements have been announced as Rel. 1.7.1.
October through December 2009
In the 2nd Quarter of fiscal year 2010, the Kerberos Consortium achieved a number of its goals set earlier in the year. The majority of features the Release 1.8 achieved Alpha or Beta status during that quarter, and they continue to undergo testing in preparation for Final Release 1.8 in the 3rd Quarter of the fiscal year. These features include cryptographic modularity (for FIPS-140 compliance for the Government sector), PKINIT feature for improved security of Kerberos infrastructure setup, test-driven development capabilities for better code quality and the automatic lockout feature for reducing dictionary attacks to Kerberos installations.
In October 2009 the Consortium held its Kerberos Conference at MIT, as part of its broad outreach efforts and requirements gathering process from the world-wide Kerberos community. Two notable keynotes were delivered by Phil Venables (Chief Security Officer, Goldman-Sachs) and Kim Cameron (Microsoft Chief Identity Architect). Attendance reached over 70 people for the 2-day event. In addition, during the same week the Kerberos Consortium also held its quarterly Board Of Directors meeting at MIT.
July through September 2009
April through June 2009
- Held Kerberos Interoperability Event and Executive Advisory Board meeting, hosted by Microsoft in Redmond Washington
- Attended Ubuntu Developer's Summit as invited guests and delivered plenary address
- Attended and held half-day workshop at RSA Security Conference as invited experts.
- Released MIT Kerberos 1.7, which includes an implementation of the Microsoft Protocol Extensions
- Reduced number of code defects from 70 to 10.
- Created port of MySQL database system to MIT Kerberos
January through March 2009
In the third quarter of FY '09, the MIT Kerberos Consortium continued to make progress towards its goals. In January, it released Kerberos 1.7a, a new version of MIT Kerberos which incorporates an independent implementation of the Microsoft protocol extensions, as well as other desirable features and functionality. It publicly released a significant new working paper entitled "Towards Kerberizing Web and Identity Services". This paper was the result of a collaboration between the Consortium, its sponsors and a variety of other experts on security and identity management. It held the fourth Executive Advisory Board meeting of the Kerberos Consortium at Microsoft in late March. It held its first Interoperability Plug-athon, hosted by Microsoft, with 14 attendees from six different organizations.
It has initiated a new collaboration with Red Hat, Ubuntu and Sun, to create a bundle of open source components whose combined functionality approximates that of a Microsoft Active Directory server. In the fourth quarter of FY '09 it will make progress toward this goal through the development of requirements and specifications with these external parties.
Fundraising in the current economic climate remains challenging. However, a recent reduction in sponsorship fees has generated renewed interest in joining the Consortium. The Consortium maintains sufficient financial reserves to withstand the economic downturn.
October through December 2008
In the second quarter of fiscal year 2009, the MIT Kerberos Consortium celebrated its first anniversary and continued to make substantial progress towards its goals.
The Consortium released one highly significant white paper; "Towards Kerberizing Wed and Identity Services", in collaboration with our sponsors. This white paper charts a roadmap for enabling full-functional Kerberos on the world wide web.
The Consortium hired Thomas Hardjono, a well known leader in the IT security field, as its Strategic Advisor. He holds advanced degrees and has a decade of experience in open source software and security.
The Kerberos Consortium received the Andrew W. Mellon Foundation Mellon Award for Technology Collaboration and an accompanying $100,000 prize.
It held its third Executive Advisory Board meeting. It also convened a private Financial Services Security Summit in New York City that attracted 31 attendees from many of the largest investment banking firms.
The Kerberos Consortium team continues to make progress towards their development goals. It anticipates releasing a new version of Kerberos for all platforms in January 2009. This forthcoming release includes an implementation of the Microsoft Protocol Extensions to Kerberos. This will give the MIT version of Kerberos feature parity with that of Microsoft, at a key time when many businesses are looking cost savings on software capital investments.
New corporate interest in supporting the work of the Consortium has fallen off sharply with recent economic crisis. However, it has sufficient financial reserves to preserve operations until economic conditions improve. It will work to generate new types of revenue streams in the coming quarters; such as special project funding, interoperability testing fees, and grant funding.
July through September 2008
In the first quarter of fiscal year 2009, the MIT Kerberos Consortium made substantial progress towards its goals. Apple, Sun, and Google agreed to renew their sponsorship for an additional year. It also received notice of a significant prize, to be awarded in the second quarter.
The Consortium released four additional white papers; "Best Practices for Integrating Kerberos Into Your Application", "The MIT Kerberos Administrator's How-to Guide", "The Role of Kerberos in Modern Information Systems" and, "Recommended Practices for Deploying & Using Kerberos in Mixed Environments". These white papers are available for free under the same copyright as the Kerberos Software.
The Consortium hired two new senior programmers; Zhanna Tsitkova and
Greg Hudson. Both hold advanced degrees and have a decade of experience in open source software and security. Tom Yu was promoted to Development Manager.
The Consortium delivered "Kerberos Lite", and low disk and in-memory version of Kerberos more appropriate for mobile and embedded devices, and the "Kerberos Identity Manager", a system for managing multiple Kerberos identities within and across realms.
It has made significant progress towards a road map for enabling Kerberos on the World Wide Web, which will be presented at the next meeting of the Executive Advisory Board, and as part of our Financial Services Security Summit in New York City, on November 3rd and 4th, respectively.
The Kerberos Consortium team continues to make progress towards their development goals. It anticipates releasing a new version of Kerberos for all platforms in the third quarter of FY2009.
April through June 2008
In the fourth quarter of fiscal year 2008, the MIT Kerberos Consortium continued to make progress towards its goals. Microsoft officially joined the Consortium and placed a senior executive on the Board of Advisors. Eleven positive articles appeared in the national press regarding this significant event. The second Board of Advisors' meeting was held on the Google campus in California, with representatives from Apple, Google, Microsoft, MIT and Sun in attendance. The technology roadmap for Kerberos was presented and approved at this meeting.
The Consortium also produced their first white paper "Why is Kerberos a Credible Security Solution?" The Kerberos Consortium team continues to make progress towards their development goals. They anticipate releasing a new version of Kerberos for all platforms, as well as introducing Kerberos on a mobile device in fiscal year 2009.