hartmans at MIT.EDU
Mon Nov 25 14:58:01 EST 2002
>>>>> "Darren" == Darren Reed (Optimation) <darrenr at optimation.com.au> writes:
Darren> Is there a specification anywhere detailing what each of
Darren> the preauthentication data formats should be?
Darren> I've discovered that Cybersafe's Kerberos used "unixtime"
Darren> (KRB5_PADATA_ENC_UNIX_TIME) preauthentication data and
Darren> have been able to guess at the format but when I looked at
Darren> what's provided for KRB5_PADATA_ENC_TIMESTAMP, expecting
Darren> it to be similar, I find it to be vastly different.
Darren> The most significant difference is that the timestamp data
Darren> in krb5 packets is ASN.1 formatted, whereas the unixtime
Darren> data being sent for Cybersafe is not - just a nonce, the
Darren> time repeated a few times and a trailer.
Darren> At least one mention of unixtime on the web suggests that
Darren> unixtime has been depricated (I have no problem with this)
Darren> but if I can at least get the verify function correct (and
Darren> tested), is the krbdev team interested in patches ?
We'd certainly evaluate patches and it looks from internal discussion
would be reasonably likely to accept well-written patches.
I wouldn't bother with a --enable-unix-time option.
You are correct that unix time has been depricated. I don't know if
it has security properties different than the encrypted timestamp; if
it does, we may be less interested in it.
More information about the krbdev