Kerberos Feature Request

Nicolas Williams Nicolas.Williams at
Wed Feb 11 16:50:46 EST 2004

On Wed, Feb 11, 2004 at 12:34:23PM -0800, Henry B. Hotz wrote:
> After being jumped on for mis-using the Microsoft term PAC when I 
> meant the generic Kerberos term "authorization data" I went and 
> RE-read the relevant sections of 1510 and the DRAFT clarifications 
> (including the specific section of the latter that JA pointed at). 
> As far as I can see there is nothing in them that addresses the KDC 
> to (unspecified) authorization service interface that would be 
> necessary in order for the KDC to acquire KDC-ISSUED authorization 
> data.

Standard authz-data types?  Sure.

BCP on how KDCs (and/or clients, as appropriate) should obtain the
relevant data for standard authz-data types?  Ok.

Informational/experimental KDC-side "interfaces?"  Ok.

Standard KDC-side "interfaces?"  Seems unlikely and unnecessary.

As for interfaces to access authz-data on clients/servers (not KDCs), I
can see this for application-specific authz-data types, but for
authz-data types that are meant to be interpreted by the OS I suspect
that platform-specific interfaces are what users will get.  And such
interfaces would be best designed as extensions to the GSS-API.  IIRC
the GGF has a proposal in this area.

> If someone tells me that the IETF is interested and discussing the 
> issue then I will join and participate as much as I can.  If some 
> proposals that I'm writing now get funded then I will definitely join 
> and might even lead the discussion if it still seems appropriate.

I'm interested in standardizing some useful authz-data types.

> Doesn't the Kerberos FAQ recommend that you use GSSAPI in preference 
> to the MIT API?  ;-)

If it doesn't then it should :)  The IETF should, IMO, stay away from
krb5 APIs for the forseeable future, maybe forever.



More information about the krbdev mailing list