Kerberos Feature Request
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Feb 10 20:28:45 EST 2004
At 6:26 PM -0500 2/10/04, Jeffrey Altman wrote:
>Henry B. Hotz wrote:
>>At 3:34 PM -0500 2/10/04, Jeffrey Altman wrote:
>>>I agree that there should be an optional way of adding arbitrary
>>>authorization data to Kerberos tickets. I agree with Sam that this
>>>is not something that should be standardized by the IETF because
>>>it is outside the realm of a protocol definition. The Kerberos 5
>>>standard already describes how authorization is placed within a
>>Where does it describe that?
>>I see stuff in the RFCs about how to forward the data and how to
>>add to it, but nothing about how the KDC should/might put a
>>mandatory initial set of stuff in it.
>Please see Clarifications Section 5.2.6.
I think this only discusses the "what is", not the "where from" of
>How the KDC obtains authorization data from an external
>authorization service is outside the scope of the Kerberos
>protoocol. What you are asking for is the specification of an API
>not a protocol. APIs are outside the scope of an IETF working group
>in almost all cases. The API you are looking for would be specified
>by the authorization service; not the KDC. What the KDC has to
>implement is a hook:
> krb5kdc_get_authorization_data(krb5_context, principal_name, krb5_data *)
>which allows a third party to define an implementation of the
>authorization data retrieval protocol specified by the authorization
Choosing to satisfy my request with an API is a choice and is not the
only thing that would make me happy.
If the krb5_data* in the above is specifically the authorization data
and what the routine returns gets inserted into that field of the
initial ticket AND both MIT and Heimdal implement it compatibly then
I'm satisfied. ;-)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev