[kdc-schema] [Kdc-info] Preliminary draft of LDAP Kerberos schema
Nicolas Williams
Nicolas.Williams at sun.com
Wed May 31 15:35:13 EDT 2006
On Mon, Jan 30, 2006 at 10:45:09PM -0700, Rajasekaran Nagarajan wrote:
> Hi Nico:
>
> Thanks very much for your comments. I shall appropriately incorporate
> these comments in the draft and post the updated draft soon.
Well?
BTW, MIT is getting close to shipping and I'm concerned. I'm
particularly concerned about the lack of versioning of the krbSecretKey
attribute, the 16-bit kvno, the lack of a master key vno, etc...
I think MIT ought to fix this now if at all possible. If there exist
deployments of this schema then rename krbSecretKey now and fix its
contents' format.
To restate my suggestion, with the addition of a format version number
and better extensibility:
First 2 bytes Major format version number
Next 2 bytes Minor format version number
Next 4 bytes Version number (kvno) of this key
Next 4 bytes Version number of the master key (K/M kvno) used
to encrypt the following data
<encrypted data>
The <encrypted data> octets are to be the output of the RFC3961
encrypt() function (which provides integrity protection in
addition to confidentiality protection) applied to data whose
format is given below using the master key named by the item
above:
First 4 bytes Version number of this key
First 2 bytes Length of principal name (princNameLength)
Next 2 bytes Number of keys for the principal (noOfKeys)
<key/salt types (2 or 4 bytes?) / lengths (2 bytes)>
<"unparsed" principal name (RFC1964 format)>
<key/salt values (octet strings of lengths given above)>
<unknown extra data to be ignored, like ASN.1 extensibility marker>
The format major version number should be incremented for backwards
incompatible format changes; the formatminor version number should be
incremented for backwards compatible format changes (extra data added at
the end).
Nico
--
More information about the kdc-schema
mailing list