- A Microsoft executive testified at the software giant's remedy hearing that the company goes to great lengths to disclose interfaces and protocols that allow third-party software products to interact with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's use of the Kerberos authentication specification, not everyone agrees.
Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with the Microsoft OS.
Microsoft takes advantage of unspecified fields in the Kerberos specification for storing Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so that software developers could add their own authorisation information, he said.
The Kerberos specification is designed to authenticate users on a network, granting them access to files and resources. Authorisation determines which network resources the authenticated user can access.
During cross examination Monday afternoon, lawyer for the states Laurie Fulton asked if Short was referring only to authentication -- and not authorisation -- when he wrote in his direct testimony that Microsoft's implementation of Kerberos would interoperate with those from other companies. Yes, answered Short, adding that Microsoft's extensions to Kerberos would not impede interoperability for authentication.
"Many Unix operating systems that use Kerberos for authentication do not have a distributed authorisation model for access control -- instead, access rights to server resources are presumed from authentication," Short wrote in his direct testimony. "Such non-Microsoft server operating systems can simply disregard the (Windows-specific authorization data) in Microsoft Kerberos tickets."
Last year, Microsoft submitted its version of Kerberos to the Internet Engineering Task Force (IETF). According to a Microsoft document Fulton showed the court, a number of the fields were not defined in Microsoft's specification. Fulton asked if Microsoft planned to submit additional information to the IETF, to which Short answered no. "I don't know of anything in these (fields) that we're hiding," he said.
Fulton asked if Short was aware that Jeffrey Schiller, security area director of the IETF, did not believe Microsoft's Kerberos disclosure to be adequate, and had referred to it as "half a loaf," according to the lawyer. Short said he wasn't aware of that opinion. Fulton asked if he believed Microsoft was providing "more than half a loaf," to which he answered yes.