[Kdc-info] Password change operations

[Nicolas Williams]

On Thu, Jul 31, 2003 at 09:32:13PM +0200, Leif Johansson wrote:
> Nicolas Williams wrote:
> >Of course, one might prefer to use the ASN.1 types for the operations in
> >the change password draft through LDAP, rather than through a standalone
> >protocol.  Details would have to be worked out, but it seems doable.
> >
> >
> There might be a son-of-rfc3062 hidden here which imo would be a good thing.
> Lots of installations will probably use some kind of kdc+directory in 
> the not too
> far future and I would hate for there to be confusion about a 
> fundamental operation
> like password change.

Not only that, the change password protocol operations for password
changing/setting in the upcomming -01 are close to being independent of
Kerberos:  there's an optional enctypes field in the request and
response and error codes relating to enctypes, but that's it - the
target principal name is given in the outer "Request" type (which
wouldn't be used in a son-of-rfc3062, as you call it).

Mind you, I'd rather proceed with the Kerberos-specific change password
protocol than with a son-of-rfc3062.

On Thu, 31 Jul 2003 at 15:35:56 -0400, Sam Hartman wrote:
>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
>    >> I think that we need to allow implementations to also support
>    >> RFC 3062, possibly by funneling that through Nico's draft.
>
>    Nicolas> But the text should discourage this.  There's no
>    Nicolas> allowance for password policies in RFC3062.
>
>I suspect that most people will end up implementing this feature in
>practice and will return some useless error if policy denies the
>change.
>
>lLDAP is one of the few technology-independent ways of changing your
>password.

See above.  If there's enough desire we could make a son-of-rfc3062.

Cheers,

Nico
--