Auditing Feature in Kerberos

Jeffrey Altman jaltman at MIT.EDU
Thu Mar 23 22:50:23 EST 2006

greg at wrote:

> It may be but it does fail a direct correllation requirement.  If the
> IP address is implemented in the payload the ad_data strategy also
> allows pinning the audit trail to the KDC which issued the ticket.
> It all comes down to whether or not it is sufficient to answer the
> audit question with 'we think it might be' or 'it is'.
> I have found that people concerned with audit trails can be
> surprisingly pedantic in their assurance requirements.
> Greg

Which is why I recommended the items I suggested a couple of days
ago including logging hashes of the tickets that are issued and received
as part of the transactions.  I don't think we need a new identifier.

Jeffrey Altman

More information about the krbdev mailing list