64-bit KFW Status

Jeffrey Altman jaltman at secure-endpoints.com
Wed Sep 12 15:25:31 EDT 2007 

Kevin Koch wrote:
> Is the 64 bit leash API public or internal only?
Most of the 32-bit Leash API is supposedly private but the reality is
that it is used by third parties.
The 64-bit Leash API is officially private.
> If 32 bit and 64 bit MSIs can be built but only one may be installed at a
> time, a smart installer that 'does the right thing' must be part of KfW 4.
> Please propose how it will work before announcing it as a fait accompli.
No one said that 32-bit and 64-bit MSIs could not be installed at the
same time.

What I said was that 32-bit NSIS and 64-bit MSI could not be installed
at the same time.
>
> If only one NIM can be installed, then I don't understand the bullet about
> UprgadeCodes and parallel installs on 32- and 64-bit MSIs.  Why allow
> parallel installs?
You need parallel installs so that 32-bit applications on the machine
have access to 32-bit Kerberos libraries and 64-bit applications have
access to 64-bit libraries.
>  
> The value of this [what do you propose calling it?] depends a lot on the
> extent to which the ccache server 'does not behave well under Vista UAC.'
> Can you elaborate on that?
What does "this [what do you propose calling it?]" refer to?

Per-session credential caches provide a poor experience on Windows Vista
under UAC because processes that run with restricted privileges and
processes that run without restrictions are in two different logon
sessions even though they share the same desktop.   Therefore, if you
start a credential cache in the restricted environment, put tickets in
it, and then start a process without restrictions, the process without
restrictions will not be able to read from the credential cache server
in the restricted session and will not be able to make use of the
tickets that are stored there.

This is the complaint that Richard has.

>
> Since Kerberos v4 is removed, this is a KfW 4.0 product. 
I disagree.   Kerberos v4 was not removed.  Kerberos v4 never existed.
KFW 4.0 is removes the Kerberos v4 functionality from 32-bit KFW where
people have applications that rely on it.
There are no applications that rely on Kerberos v4 KFW support in the
64-bit application space.
>  How does this
> coordinate with the eventual replacement of CCAPI with a platform
> independent implementation?
>
Your CCAPI has to provide a compatible krbcc32.dll and krbcc64.dll.   If
it doesn't, your implementation won't be compatible with applications
built against previous releases of KFW.  Hence, there are no transition
issues.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kfwdev/attachments/20070912/c29cab7c/attachment.bin

More information about the kfwdev mailing list