krb5_pac_verify and server key enctype extraction

Luke Howard lukeh at
Tue Aug 4 13:44:24 EDT 2009

> Yeah, it took me a while to realise that that was I had always done.
> But yes, we should do what Sam suggests for 1.8.

So: Sam's suggestion is to expose the verified PAC via the recently  
published GSS naming extensions draft. This sounds reasonable to me.

Love: did Heimdal always verify the PAC in gss_accept_sec_context()?  
This is an issue for MIT, because 1.7 we shipped APIs for extracting  
authorisation data. An application unaware of which GSS-API  
implementation it is using cannot be sure whether the PAC was verified  
after calling gss_accept_sec_context().


-- Luke

More information about the krbdev mailing list