Session key extraction

Nicolas Williams Nicolas.Williams at
Tue Dec 23 00:31:18 EST 2008

On Mon, Dec 22, 2008 at 06:33:49PM -0500, Jeffrey Hutzelman wrote:
> I'd be nervous about a "Get the Windows key" feature, but it may be 
> necessary to allow implementation of some Windows protocols.  If this 
> happens, I think it should have exactly the semantics Sam described, 
> inclulding just failing for mechanisms not used on Windows.  Applications 
> other than existing Windows protocols should use the RFC4401 interface, 
> which is portable to more implementations, more likely to exist in new 
> mechanisms, and safer to use.

I don't see how you can enforce what the application can do with the key
short of implementing the operations that use the key in those protocols
and exporting only an API for those operations.  And then you'd have to
worry about misuse of those.

More information about the krbdev mailing list