[Kdc-info] Preliminary draft of LDAP Kerberos schema

Nicolas Williams Nicolas.Williams at sun.com
Wed May 31 15:35:13 EDT 2006

On Mon, Jan 30, 2006 at 10:45:09PM -0700, Rajasekaran Nagarajan wrote:
> Hi Nico:
> Thanks very much for your comments. I shall appropriately incorporate
> these comments in the draft and post the updated draft soon.


BTW, MIT is getting close to shipping and I'm concerned.  I'm
particularly concerned about the lack of versioning of the krbSecretKey
attribute, the 16-bit kvno, the lack of a master key vno, etc...

I think MIT ought to fix this now if at all possible.  If there exist
deployments of this schema then rename krbSecretKey now and fix its
contents' format.

To restate my suggestion, with the addition of a format version number
and better extensibility:

      First 2 bytes     Major format version number
      Next  2 bytes     Minor format version number
      Next  4 bytes     Version number (kvno) of this key
      Next  4 bytes     Version number of the master key (K/M kvno) used
                        to encrypt the following data
      <encrypted data>

      The <encrypted data> octets are to be the output of the RFC3961
      encrypt() function (which provides integrity protection in
      addition to confidentiality protection)  applied to data whose
      format is given below using the master key named by the item

      First 4 bytes     Version number of this key
      First 2 bytes     Length of principal name (princNameLength)
      Next  2 bytes     Number of keys for the principal (noOfKeys)

      <key/salt types (2 or 4 bytes?) / lengths (2 bytes)>

      <"unparsed" principal name (RFC1964 format)>

      <key/salt values (octet strings of lengths given above)>

      <unknown extra data to be ignored, like ASN.1 extensibility marker>

The format major version number should be incremented for backwards
incompatible format changes; the formatminor version number should be
incremented for backwards compatible format changes (extra data added at
the end).


More information about the krbdev mailing list