Using Kerberos for authenticating the distribution of controlled substances, etc.

Sam Hartman hartmans at MIT.EDU
Wed Jul 18 16:59:56 EDT 2007

Things to think about for this:

* Manage to keep server time in sync with the client KDC time somehow

* Require a short window between auth time  and the service ticket issue time and between all of these and the current server time

* Provide an authorization data item in the ticket saying that this is
  a single use item for a specific transaction ID.

* PRivide protocol best practices for how you should design your protocol.

* Provide client APIs that work.

If you could trust enough of the KDCs you could probably escape the
need for time sync relying on the fact that particular authorizsation
data item needed to be in the initial tgt.  This is actually a bit
tricky because there is not currently a way for a client to ask for
authorization data in the initial tgt.
FASt could help here.


More information about the krbdev mailing list