[krbdev.mit.edu #5349] Proposed implementation of krb5_server_decrypt_ticket_keyblock and krb5_server_decrypt_ticket_keytab
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Mon Jan 15 13:30:36 EST 2007
In general this seems good.
Why do we want the keyblock version of the function? That seems like
it will encourage a lot of undesirable coding practices where keys are
not stored in keytabs or where applications do not support keyrollover
correctly.
We've talked in the past about having a memory keytab to deal with situations where applications don't have a keytab.
I think that would be better in this instance.
However I can't see cases where TLS or RXK5 applications will not have a keytab.
I'm also not sure I buy the idea that kvno should use this interface
rather than mk_req rd_req. I don't object to kvno using this
interface, I'm just not sure it matters.
More information about the krb5-bugs
mailing list