[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Results from my request for testimonials

In the event that you have to convince your management that this  
software from Sweden is safe to use the following may be helpful.  ;-)

OTOH if you are trying to decide whether to use MIT, Heimdal, or some  
other Kerberos software that's a different question.  My opinion is  
that there are several good implementations and which is best depends  
on what unique characteristics you need/want.  In my case AFS is the  
biggest application and the fact the KTH also makes AFS software  

Begin forwarded message:

> Subject: K5 Upgrade CDR RFA 5
> Is this an adequate response to your RFA?
>  RFA 5
> Assess the risk associated with the Kerberos v5 implementation based  
> on the age and others’ experience base with the software.
>  Recommended Action
> Research and make assessment, identify mitigation if possible.
>  Response:
> It's acknowledged that Heimdal is neither as old nor as widely  
> deployed as the MIT implementation of Kerberos 5.  Heimdal was started  
> in 1997, and has been deployed at KTH in Sweden since 2000.  It  
> replaced MIT Kerberos 4 as the bundled Kerberos implementation for  
> NetBSD slightly before that.  I wouldn't have recommended it if I  
> didn't think it could do the job.
> While there are a number of institutions using it, there may not be  
> very many with as many principals as we have (about 14,000).
> KTH.SE (where Heimdal was developed) has more than 27,000 principals  
> spread over 4 realms.
> SU.SE (Stockholm University) "should be somewhere in the 10-30k range."
> COM.MX  "We have a heimdal 0.6 server in a commercial application  
> (just released in January this year) with a OpenLDAP Backend tested  
> with 10000 users but we hope 50000 this year."
> CMU.EDU "Our clients have used heimdal-0.4e in production since  
> sometime in 2001.
> We upgraded our KDC's last fall from an old MIT version to Heimdal 0.6  
> plus a few local modifications.  There were about 20000 principals in  
> the database at that time; today we have about 21000 of which 14000  
> are unexpired; those are about evenly split between services, users,  
> and alternate (non-null) instances.
> The master KDC handles on the order of 3-6 requests/sec (depending on  
> time of day); we expect that on current hardware it ought to be able  
> to handle a lot more.  We have never seen a problem.
> -- Jeff"  [Jeffrey Hutzelman is co-chair of the IETF Kerberos Working  
> Group]
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu