krb5_pac_verify and server key enctype extraction

Natalie Li Natalie.Li at Sun.COM
Tue Aug 4 14:05:40 EDT 2009


Could you please send out a pointer to the GSS naming extensions draft?



Luke Howard wrote:
>> Yeah, it took me a while to realise that that was I had always done.  
>> But yes, we should do what Sam suggests for 1.8.
> So: Sam's suggestion is to expose the verified PAC via the recently 
> published GSS naming extensions draft. This sounds reasonable to me.
> Love: did Heimdal /always/ verify the PAC in gss_accept_sec_context()? 
> This is an issue for MIT, because 1.7 we shipped APIs for extracting 
> authorisation data. An application unaware of which GSS-API 
> implementation it is using cannot be sure whether the PAC was verified 
> after calling gss_accept_sec_context().
> regards,
> -- Luke

More information about the krbdev mailing list