Can we sort preauth data in an AS reply

Jeffrey Hutzelman jhutz at
Tue Oct 3 17:55:10 EDT 2006

On Tuesday, October 03, 2006 05:20:20 PM -0400 Sam Hartman 
<hartmans at MIT.EDU> wrote:

>>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at> writes:
>     Jeffrey> I see no reason why a client shouldn't be able to process
>     Jeffrey> padata in any order it wants
> Certainly my preauth framework draft contemplated incrementally
> strengthening the reply key as you went through the padata in the
> order supplied by the KDC.

I don't think there is anything which prevents the introduction of new PA 
types or sets of PA types which must be processed in a specific order, 
provided the specifications for those types describe this.  I also don't 
think there's anything today which makes it reasonable to assume that 
clients will process existing PA types in any particular order.

I think it would be a good idea to ask the WG if people anticipate 
introducing types where order matters, if you think that an accurate 
prediction today will make your life as an implementor easier in the future.

-- Jeff

More information about the krbdev mailing list