krb5_pac_verify and server key enctype extraction
Natalie Li
Natalie.Li at Sun.COM
Tue Aug 4 14:05:40 EDT 2009
Luke,
Could you please send out a pointer to the GSS naming extensions draft?
Thanks,
Natalie
Luke Howard wrote:
>
>> Yeah, it took me a while to realise that that was I had always done.
>> But yes, we should do what Sam suggests for 1.8.
>
> So: Sam's suggestion is to expose the verified PAC via the recently
> published GSS naming extensions draft. This sounds reasonable to me.
>
> Love: did Heimdal /always/ verify the PAC in gss_accept_sec_context()?
> This is an issue for MIT, because 1.7 we shipped APIs for extracting
> authorisation data. An application unaware of which GSS-API
> implementation it is using cannot be sure whether the PAC was verified
> after calling gss_accept_sec_context().
>
> regards,
>
> -- Luke
More information about the krbdev
mailing list