Microsoft in the hot seat in new Net flap

Software maker says it is protecting intellectual property. But row over Kerberos security spec is evolving into a free speech tussle. Who's right?
Written by Mary Jo Foley, Senior Contributing Editor

Microsoft again finds itself at odds with the open-source community in a dispute over contending claims regarding an Internet security protocol. Earlier this spring the company took heat for attaching proprietary extensions to the Kerberos security standard, which was developed within the open-source community.

Kerberos is a standard administered by the Internet Engineering Task Force. Microsoft subsequently integrated support for Version 5 of the Kerberos authentication protocol into Windows 2000 in late April, triggering criticism by open-source advocates who contended that the Kerberos implementation was not 100 percent pure. Indeed, Microsoft used an authorisation data field in Kerberos that is not used in standard Kerberos. Microsoft promised it would document the way it implemented the field -- a promise it later fulfilled.

The newest blow up occurred this week after Microsoft notified officials at the Linux-enthusiast site Slashdot, demanding the removal of certain postings. Microsoft contends the postings violate the end-user licence agreement governing Microsoft's specifications for its Kerberos add-ons.

The letter, which was subsequently published on the Web site, was interpreted by Slashdot as a challenge to free speech.

As a matter of course, Microsoft attached terms and conditions to its spec. The text accompanying the Kerberos field-authorisation documentation maintains that the specification "is confidential information and a trade secret of Microsoft." Developers or users who want access first need to agree not to redistribute or publish Microsoft's code.

"All this licence says is treat this information with confidentiality," said Microsoft spokesman Adam Sohn. "These are our standard agreements for our EULAs (end user licence agreements), the same kind of agreements that Lotus and other software companies use."

Open-source advocates disagreed with Microsoft's take, describing the company's letter demanding action from Slashdot as a strong-arm tactic.

"This (of) course is a very clever way to pretend to distribute the spec, whilst making it completely impossible to implement in competing implementations which implements their proprietary protocol extensions -- extensions to a protocol which was originally published by the Kerberos team as an Open Standard in the IETF," said a note posted to Slashdot, which was penned by Jeremy Allison, lead programmer of the open-source file exchange maker Samba, and Arthur Ts'o, a principal engineer at VA Linux. "This completely defeats the IETF's interoperability goals and helps Microsoft leverage their desktop monopoly into the server market."

But Microsoft's Sohn predictably disagreed with this characterisation. "We don't want anyone to feel we want user comments pulled randomly (from Slashdot). But some of the posts included pointers to the spec and downloaded pieces of it, while going around our EULA."

Microsoft lawyers sent a note to Slashdot officials on Wednesday, claiming that its parent company, Andover.Net, had violated terms of the Digital Millennium Copyright Act of 1998. Robin Miller, editor in chief of Andover.Net, responded to the note, claiming Microsoft was doing little more than demanding censorship.

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards