Multi-round trip extension

Nico Williams nico at cryptonector.com
Mon Sep 1 17:49:22 EDT 2014


It'd be nice if the AP / mech protocol could recover from various
failures by doing one more round-trip, such as:

 - skew too great

 - wrong kvno (why force users to kinit?! this is a huge pain-point for
   users!)

 - replay cache avoidance (server doesn't want it; challenge/response)

 - replay cache false positive (if the server is using a probabilistic
   rcache data structure)

Protocol-wise we just need an Authenticator flag by which the client/
initiator can tell the server that it is willing to engage in one
more round trip.  The server/acceptor needs a way to indicate the
same in a KRB-ERROR (or through an extended AP-REP, maybe? when the
server can decrypt the Ticket).

Discovering HTTP/Negotiate apps that can't deal with more than one
round trip will. be. fun.  We may have to exempt the HTTP service in
some cases.

Nico
-- 


More information about the krbdev mailing list