Kerberos Feature Request

Ken Hornstein kenh at
Wed Feb 11 11:05:30 EST 2004

>Jeffrey Altman objects that I want an API, not an RFC, so IETF 
>shouldn't be involved, but I think the example I just gave would be 
>an RFC.  I'm trying to limit my care-about's though.  I just want a 
>general way to make use of the feature, which is currently pretty 

I guess I don't understand why you need an RFC.  From a protocol
standpoint (the main point of interest of the IETF), the work has, from
my perspective, already been done.  How you transmit authorization data
is completely defined within the protocol.  (And I will echo others:
you should really read the clarifications document for the most current
information on the handling of authorization data within the Kerberos

Now, currently the authorization data is what you call "pretty
inaccessible".  If you're speaking in terms of the GSSAPI, I would
agree.  However, if you are using the MIT krb5 API, then I wouldn't
agree, because you can get access to the authorization data on
application servers via the MIT krb5 API (which is what you really
care about from an application server perspective).  You can utilize
this API feature no matter who's KDC you are using.

Now, it's true that currently an MIT KDC has no way of inserting
authorization data into service tickets.  That, however, is purely an
_implementation_ issue.  You could add such code today, and it wouldn't
require a protocol change at all.  Where you get the authorization data
from is completely up to you; the _protocol_ doesn't care, and the
Kerberos RFC shouldn't require any modification.  This is, of course,
assuming that I'm understanding what you're asking for.


More information about the krbdev mailing list