Windows CCAPI design sketch
Jeffrey Altman
jaltman at secure-endpoints.com
Mon Nov 5 21:46:22 EST 2007
Kevin Koch wrote:
> I've outlined the main parts of the Windows CCAPI design for your reading
> enjoyment at http://web.mit.edu/kpkoch/Public/CCAPI-Windows-Design.html.
Kevin:
This is not a criticism of your proposal. At the time the decision was
made to implement another "per-session credential server" there was no
CCAPI implementation compatible with 64-bit Windows and the expectation
was that this CCAPI implementation would be delivered in January 2008.
Given that there is now 64-bit CCAPI support for the existing service,
what is the benefit of pursuing another "per-session implementation"
when it is known that a per-machine service implementation is eventually
required in order to support Vista UAC sessions and separation of
privileges between NT Services all running under the SYSTEM account?
I am concerned that a Vista UAC compatible CCAPI service will not be
until 2009 or beyond. Perhaps you could evaluate whether or not the
per-machine solution could be completed before the anticipated release
of Kerberos v5 1.7 in the second half of 2008.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kfwdev/attachments/20071105/d2ab3990/attachment.bin
More information about the kfwdev
mailing list