7.1.3 How does SESAME relate to Kerberos?

Linda Gricius (April, 1998):

Similar work, aimed specifically at UNIX systems, has been done by the Massachusetts Institute of Technology which has developed a basic distributed single sign-on technology called Kerberos. Kerberos has been proposed as an Internet standard (RFC1510).

In the light of this work, the SESAME project decided that in its early implementation some of the SESAME components would be accessible through the Kerberos V5 protocol (as specified in RFC1510), and would use Kerberos data structures, as well as new SESAME ones. This has shown unequivocally that a product quality approach reusing selected parts of the Kerberos specification is workable and that a world standard is possible incorporating features of both technologies. SESAME extends Kerberos in the following ways:

• It introduces user privilege attributes, contained in a digitally signed Privilege Attribute certificate (PAC) and issued by a Privilege Attribute Service (PAS). This enables users to carry various identities and privileges (groups, roles and any locally defined attribute types) rather than a simple "name" as Kerberos provides.
• SESAME also uses public keys, optionally, in the formation of associations between clients and targets. Kerberos uses secret key technology only.
• SESAME has controlled delegation of privileges (PACs), so that targets can proxy their client's privileges to call other services on their behalf (rather than calling them as themselves). Kerberos has only uncontrolled delegation, and SPKM has no delegation.

Regardless of the security mechanism used, the DAIS Security service accesses the mechanism via a generic API, called the Generic Security Services API or GSS-API. This is a standard API that presents the same interface to the caller, regardless of the mechanism underneath being used to implement the functions.