DCE Security Services

Currently, the Web provides only a limited subset of these security guarantees, and the vast majority of Web interactions are not secured at all; the typical use of the Web is to provide unlimited access to public data. In order to make possible actual commercial transactions over the Web, security technology has begun to be deployed in popular Web browsers and some commercial servers. As currently deployed, this technology aims to make possible the kinds of customer ordering typically carried out over the phone using a credit card: it allows the client (customer) to authenticate the identity of the server (business) and provides guarantees as to the privacy and integrity of the data, such as a credit card numbers, passed between client and server.

Potentially, this technology, which is based on public key encryption, can provide all the security guarantees required by enterprises, but current implementations remain limited. This is mainly due to the lack of the required infrastructure: in order to use these mechanisms for full mutual authentication, a ubiquitous infrastructure of public keys and public key certifying authorities is required. In addition, the Web still lacks mechanisms for secure access control based on authenticated individual and group identities. Finally, as with many new technologies, the most popular implementations of Web security have been plagued by well-publicised security holes.

DCE Security Services

The DCE security services are specifically designed to meet the security needs of enterprise distributed computing. They provide all the basic elements mentioned in the last section by integrating a number of well tested, industry-standard security data privacy and integrity protection based on DES private-key and other standard encryption technologies; authentication based on the MIT-developed Kerberos technology; and authorisation based on the POSIX standard Access Control List (ACL) mechanism.

DCE security is designed to permit the application of consistent security policies over any enterprise-defined realm. DCE organises resources in units called cells, which are collections of users, machines, services, and data that can be administered under a unified set of policies. For example, users can be organised into cell-wide groups whose membership is maintained by the cell security service. Whenever a client requests a service from a DCE application server, the server receives an authenticated client identifier, supplied by the security service, that defines the client's individual and group identity. Servers throughout the cell therefore have a consistent view of group memberships, as certified by the security service, for making access control decisions.

DCE cells function as units of organisation and scaling for security and other services. For example, trust relationships can be established between cells to permit secure interactions between clients in one cell and servers in another. This makes it possible for enterprises to organise distributed computing resources in efficiently-sized units in much the same way that business processes themselves are organised.


Last Updated: 6th September 1997 by  Mark Baker