These extensions will improve the acceptance of Kerberos, extending the situations for which it is suitable for network authentication. It will allow interoperability with the public key certification hierarchies that are being put in place for privacy enhanced electronic mail.
Authorization, the second component of the infrastructure, will be supported using a mechanism called restricted proxies. A restricted proxy is a Kerberos authentication credential that allows one entity to act on behalf of another, but only for a restricted set of operations described in the credential itself. Restricted proxies are being used to support distributed authorization and group servers, and the authorization services provide a base for distributed accounting and payment services such as NetCheque.
Through the SILDS project, the Information Sciences Institute recently released NetCheque, an electronic payment system for the Internet. Users registered with NetCheque accounting servers are able to write electronic checks to other users. These checks may be sent through e-mail or as payment for services provided through other protocols like those supporting the World Wide Web. When deposited, the check authorizes the transfer of account balances from the account against which the check was drawn to the account to which the check was deposited.
The strengths of the NetCheque system are its security, reliability, scalability, and efficiency. Signatures on checks are authenticated using Kerberos. Reliability and scalability are provided by using multiple accounting servers. NetCheque is well suited for clearing micropayments; its use of conventional cryptography makes it more efficient than systems based on public key cryptography. The NetCheque system enables the creation of new Internet services that charge small fees, on the order of pennies, for access to information, processing queries, and consumption of resources. Such services are a critical component of electronic commerce.