Kerberos Feature Request
Nicolas.Williams at sun.com
Wed Feb 11 16:50:46 EST 2004
On Wed, Feb 11, 2004 at 12:34:23PM -0800, Henry B. Hotz wrote:
> After being jumped on for mis-using the Microsoft term PAC when I
> meant the generic Kerberos term "authorization data" I went and
> RE-read the relevant sections of 1510 and the DRAFT clarifications
> (including the specific section of the latter that JA pointed at).
> As far as I can see there is nothing in them that addresses the KDC
> to (unspecified) authorization service interface that would be
> necessary in order for the KDC to acquire KDC-ISSUED authorization
Standard authz-data types? Sure.
BCP on how KDCs (and/or clients, as appropriate) should obtain the
relevant data for standard authz-data types? Ok.
Informational/experimental KDC-side "interfaces?" Ok.
Standard KDC-side "interfaces?" Seems unlikely and unnecessary.
As for interfaces to access authz-data on clients/servers (not KDCs), I
can see this for application-specific authz-data types, but for
authz-data types that are meant to be interpreted by the OS I suspect
that platform-specific interfaces are what users will get. And such
interfaces would be best designed as extensions to the GSS-API. IIRC
the GGF has a proposal in this area.
> If someone tells me that the IETF is interested and discussing the
> issue then I will join and participate as much as I can. If some
> proposals that I'm writing now get funded then I will definitely join
> and might even lead the discussion if it still seems appropriate.
I'm interested in standardizing some useful authz-data types.
> Doesn't the Kerberos FAQ recommend that you use GSSAPI in preference
> to the MIT API? ;-)
If it doesn't then it should :) The IETF should, IMO, stay away from
krb5 APIs for the forseeable future, maybe forever.
More information about the krbdev