Kerberos Feature Request

Henry B. Hotz hotz at
Tue Feb 10 20:28:45 EST 2004

At 6:26 PM -0500 2/10/04, Jeffrey Altman wrote:
>Henry B. Hotz wrote:
>>At 3:34 PM -0500 2/10/04, Jeffrey Altman wrote:
>>>I agree that there should be an optional way of adding arbitrary 
>>>authorization data to Kerberos tickets. I agree with Sam that this 
>>>is not something that should be standardized by the IETF because 
>>>it is outside the realm of a protocol definition.  The Kerberos 5 
>>>standard already describes how authorization is placed within a 
>>Where does it describe that?
>>I see stuff in the RFCs about how to forward the data and how to 
>>add to it, but nothing about how the KDC should/might put a 
>>mandatory initial set of stuff in it.
>Please see Clarifications Section 5.2.6.

I think this only discusses the "what is", not the "where from" of 
authorization data.

>How the KDC obtains authorization data from an external 
>authorization service is outside the scope of the Kerberos 
>protoocol.  What you are asking for is the specification of an API 
>not a protocol.  APIs are outside the scope of an IETF working group 
>in almost all cases.  The API you are looking for would be specified 
>by the authorization service; not the KDC.  What the KDC has to 
>implement is a hook:
>     krb5kdc_get_authorization_data(krb5_context, principal_name, krb5_data *)
>which allows a third party to define an implementation of the 
>authorization data retrieval protocol specified by the authorization 

Choosing to satisfy my request with an API is a choice and is not the 
only thing that would make me happy.

If the krb5_data* in the above is specifically the authorization data 
and what the routine returns gets inserted into that field of the 
initial ticket AND both MIT and Heimdal implement it compatibly then 
I'm satisfied.  ;-)
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list