krb5_pac_verify and server key enctype extraction
lukeh at padl.com
Tue Aug 4 13:44:24 EDT 2009
> Yeah, it took me a while to realise that that was I had always done.
> But yes, we should do what Sam suggests for 1.8.
So: Sam's suggestion is to expose the verified PAC via the recently
published GSS naming extensions draft. This sounds reasonable to me.
Love: did Heimdal always verify the PAC in gss_accept_sec_context()?
This is an issue for MIT, because 1.7 we shipped APIs for extracting
authorisation data. An application unaware of which GSS-API
implementation it is using cannot be sure whether the PAC was verified
after calling gss_accept_sec_context().
More information about the krbdev