[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Heimdal Vs. MIT Round 4

To: openldap-software@OpenLDAP.org
Subject: Re: Heimdal Vs. MIT Round 4
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Sat, 31 Jul 2004 05:28:26 -0700
Content-disposition: inline
In-reply-to: <B3198E73-E253-11D8-8394-000A959133A8@u.washington.edu>
References: <B3198E73-E253-11D8-8394-000A959133A8@u.washington.edu>

--On Friday, July 30, 2004 11:10 AM -0700 Donn Cave <donn@u.washington.edu> wrote:

I haven't explored this issue in detail, since my application is in
general going to be host-authorized and authenticated via certificate.
But when I tested performance with GSSAPI authentication, I found that
it was significantly slower than SSL certificates.  To my surprise,
since I had expected the cryptography to be more expensive, but I think
the explanation is "replay" detection, which requires the server to
maintain a little database of incoming authentications.  An MIT server,
anyway, as that was what I was using - Heimdal's replay cache system
may be different.  That could sure limit the rate of concurrent
authentications, and the effect could vary a lot between implementations.
Could be an issue, if you have an application where the rate of GSSAPI
authentications is the limiting factor.

Well, that is about exactly what the MIT people say. Heimdal does not use a replay cache, as far as I know. They are putting together a patch in MIT Kerberos that lets you disable the replay cache for a particular process, which I'll be testing soon.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Re: Heimdal Vs. MIT Round 4
  - From: Donn Cave <donn@u.washington.edu>

Prev by Date: Re: hdb documentation
Index(es):
- Chronological
- Thread