Sun to include new single sign-on standard in Solaris 2.6 Open Group to adopt PAM, plans fast track for Intel's public key management standard By Robert McMillan

April  1997

Mail this article to a friend

San Francisco (April 1, 1997) -- The Open Group is about to release specifications for what it's billing as a new single sign-on standard called PAM (Pluggable Authentication Modules). PAM is the first step in the Open Group's ambitious plan to create a "single sign-on infrastructure" that will eventually integrate authentication technologies as diverse as passwords, smart cards, and even biometric authentication. The technical specification, led by Sun Microsystems and Hewlett-Packard, was hammered out at the Open Group's recent members meeting in Seattle, WA. Open Group member companies will go through the formality of voting on the specification over the next couple of weeks. After that, the specification goes public on the Open Group's Web site.

Open Group Security Director Dean Adams says that he expects to have a "brandable specification within six months" and that some member companies are already building implementations. In fact, Glenn Scott, director of engineering for SunSoft's newly-formed security products business unit, says that PAM will be integrated into Solaris 2.6, expected this summer.

Scott is significantly less enthusiastic than the Open Group on the single sign-on potential of PAM, however. He says that the technology still has a long way to go before it becomes the single sign-on infrastructure the Open Group envisions. "Single sign-on is a separate problem space from PAM," Scott says. PAM gives system entry services such as login, rlogin, and telnet one integrated set of APIs with which to interface so that new and diverse authentication technologies, like RSA, DCE, or Kerberos can be integrated without any customization. To do this, an integrator would, for example, write a thin "shim," using PAM APIs that would allow a smart card to log into the system. Scott calls this "primary authentication." He says that PAM could be used for single sign-on, but in its current form it is a long way from providing "secondary authentication" -- or authentication across multiple platforms (say, Solaris to NT). According to one source working on PAM within the Open Group "everyone's agreed that PAM will be for the primary authentication," however, "outside of that, the Open Group has not figured out how to handle the secondary authentication."

But Adams remains optimistic. He says that the huge market potential of single sign-on will only be realized "if single sign-on products conform to one form of coherent standard." The Open Group's PAM working group will next tackle secure transport protocols and user group management information.

Separately, Adams says that the Open Group has asked a number of vendors, led by Intel, Entrust, IBM, and Netscape to propose a standard set of APIs for managing public key certificates, based on Intel's Common Data Security Architecture (CDSA). He says, "what we want are standard APIs that will give us access to a standard set of services." He says that the APIs will, for example, define how to create, revoke, or distribute x.500 certificates. Right now, Sun says it's "evaluating" CDSA; it already has its own home-grown Secure Key Infrastructure (SKI) technology and is evaluating whether it will incorporate SKI into CDSA or simply ignore it.

Intel's implementation is already available for NT and the CDSA group's proposal is expected at the Open Group's next meeting in London on June 6, 1997. CDSA's fast-track status means that if approved, CDSA should become a standard three months after the meeting.

Resources

• SunSoft presentation on PAM
  http://www.sun.com/sunsoft/events/presentations/ENP2.Lai/ENP2.Lai.html
• The Open Group
  http://www.opengroup.org
• CDSA specification
  http://developer.intel.com/ial/security/

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-04-1997/swol-04-opengroup.html
Last modified: