Auditing Feature in Kerberos greg at
Fri Mar 24 05:36:39 EST 2006

On Mar 23, 10:50pm, Jeffrey Altman wrote:
} Subject: Re: Auditing Feature in Kerberos

> greg at wrote:
> > It may be but it does fail a direct correllation requirement.  If the
> > IP address is implemented in the payload the ad_data strategy also
> > allows pinning the audit trail to the KDC which issued the ticket.
> > 
> > It all comes down to whether or not it is sufficient to answer the
> > audit question with 'we think it might be' or 'it is'.
> > 
> > I have found that people concerned with audit trails can be
> > surprisingly pedantic in their assurance requirements.
> > 
> > Greg

> Which is why I recommended the items I suggested a couple of days
> ago including logging hashes of the tickets that are issued and
> received as part of the transactions.  I don't think we need a new
> identifier.

Its certainly your party.

The hashing approach would still seem to be problematic in the context
of a multi-KDC implementation.

In the near future any relevant Kerberos implementations are going to
be doing ad_data payloading.  In that scenario explicit correlation is

> Jeffrey Altman


}-- End of excerpt from Jeffrey Altman

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at
"Forget committees.  New, noble, world changing ideas come from one
person working alone."
                                -- Tina Etzell's unknown quote book.

More information about the krbdev mailing list