Kerberos loophole may close around Microsoft's neck

As a legal wrangle develops over whether the Linux/open-source news Web site Slashdot.org can post messages containing what Microsoft (MSFT) calls a "trade secret," key members of the technical standards community have lost patience with the software giant's assertion of proprietary control over an open standard.

At issue is a security protocol called Kerberos, a mechanism that enables secure identity authentication when users log on to a network. The version of Kerberos in Windows 2000 exploits a loophole in the Internet standard specification that was deliberately left open for customized versions.

Upset that Microsoft has in essence driven a truck painted with the Windows logo straight through that opening, Clifford Neuman, the principal author of the original MIT version of Kerberos and current editor of the IETF's Kerberos standard document, is drafting a proposal to close the hole in the spec. The IETF is an international group that sets standards for the Internet.

Such a move would render Microsoft's made-for-Windows version of Kerberos nonstandard, at least in part. To gain full compliance, Microsoft would have to change part of its Kerberos code or open it fully to outsiders, ensuring that competing versions of Kerberos have the same access to Windows. The current legal question eventually might be rendered moot as a result.

In the meantime, Andover.net, the owner of Slashdot, has responded defiantly to a legal notice from Microsoft that cites the Digital Millennium Copyright Act. The site refused to remove postings of the "secret" part of the Windows 2000 Kerberos code, published on Slashdot by open-source activists.

Andover lawyers have sent a response to Microsoft that poses questions aimed at expanding the issue beyond copyright law.

"How can Microsoft claim proprietary protections for enhancement to an open-standard protocol?" the letter states. Andover also questions Redmond's secrecy claim, given that Microsoft first published the code on the Internet.

Microsoft's implementation of Kerberos takes advantage of an undefined data field in the spec to store authorization data for the Windows 2000 operating system. Microsoft published the code for this additional aspect on the Web but attached restrictions that essentially lock down the information. To download the file, users must agree to a licensing restriction that labels the material "confidential information and a trade secret."

Microsoft says keeping the enhancement portion of its code proprietary does not affect the interoperability of Windows 2000 Kerberos. Critics argue, however, that Microsoft is making it difficult to install rival versions of Kerberos on a network with Windows 2000 desktops and non-Microsoft servers.

Microsoft is "using its monopoly on the desktop to force people to use its server," says Paul Hill, coleader of the Kerberos team at MIT.

Anger over Microsoft's tactics led open-source advocates to ignore Microsoft's lock-down licensing agreement and post the code on Slashdot's site. Microsoft then demanded that the site remove the information from its servers.

Although Slashdot initially cried censorship, Microsoft rejected First Amendment arguments. "It's not about free speech. We're not asking for people's comments to be pulled down," said Microsoft spokesperson Adam Sohn, "It's the manner in which the [copyrighted information] is being distributed that we're asking Slashdot to address."

Slashdot's lawyers have in turn moved the discussion beyond censorship, and in doing so, it might have gained the backing of the technical standards community.

Even if Microsoft has copyright law on its side, Neuman considers the software giant's legal move "pretty bogus."

Far from regarding Microsoft's protected code as a "trade secret," Neuman, who is also a senior research scientist at the University of Southern California, considers it to be wholly derivative. Neuman said he personally described its essentials in a 1993 scientific paper.

"Some of the specific changes that they did were actually things I suggested on the Kerberos mailing list," he says. "So I don't know what sort of claims they are trying to make on this."

Neuman believes that, given the legal spat, it is time to define a generic format for the previously undefined authorization data field in the specification, a move already under discussion on the official Kerberos mailing list.

In addition, Neuman has committed to drafting a proposal to define the disputed data field in the next couple of weeks. If approved, the authorization aspect of Kerberos in Windows 2000 will no longer be standard.

At that point, Microsoft will have to choose whether to play by IETF rules or abandon its claims of full compliance. That decision should clarify which is more important to Microsoft: full interoperability or protecting Windows.

For more in-depth coverage of the Internet Economy, visit The Industry Standard, a sister publication to Network World. Copyright 2000 The Industry Standard. All rights reserved.