[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Results from my request for testimonials
In the event that you have to convince your management that this
software from Sweden is safe to use the following may be helpful. ;-)
OTOH if you are trying to decide whether to use MIT, Heimdal, or some
other Kerberos software that's a different question. My opinion is
that there are several good implementations and which is best depends
on what unique characteristics you need/want. In my case AFS is the
biggest application and the fact the KTH also makes AFS software
Begin forwarded message:
> Subject: K5 Upgrade CDR RFA 5
> Is this an adequate response to your RFA?
> RFA 5
> Assess the risk associated with the Kerberos v5 implementation based
> on the age and others’ experience base with the software.
> Recommended Action
> Research and make assessment, identify mitigation if possible.
> It's acknowledged that Heimdal is neither as old nor as widely
> deployed as the MIT implementation of Kerberos 5. Heimdal was started
> in 1997, and has been deployed at KTH in Sweden since 2000. It
> replaced MIT Kerberos 4 as the bundled Kerberos implementation for
> NetBSD slightly before that. I wouldn't have recommended it if I
> didn't think it could do the job.
> While there are a number of institutions using it, there may not be
> very many with as many principals as we have (about 14,000).
> KTH.SE (where Heimdal was developed) has more than 27,000 principals
> spread over 4 realms.
> SU.SE (Stockholm University) "should be somewhere in the 10-30k range."
> COM.MX "We have a heimdal 0.6 server in a commercial application
> (just released in January this year) with a OpenLDAP Backend tested
> with 10000 users but we hope 50000 this year."
> CMU.EDU "Our clients have used heimdal-0.4e in production since
> sometime in 2001.
> We upgraded our KDC's last fall from an old MIT version to Heimdal 0.6
> plus a few local modifications. There were about 20000 principals in
> the database at that time; today we have about 21000 of which 14000
> are unexpired; those are about evenly split between services, users,
> and alternate (non-null) instances.
> The master KDC handles on the order of 3-6 requests/sec (depending on
> time of day); we expect that on current hardware it ought to be able
> to handle a lot more. We have never seen a problem.
> -- Jeff" [Jeffrey Hutzelman is co-chair of the IETF Kerberos Working
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or email@example.com