krb5_pac_verify and server key enctype extraction
Luke Howard
lukeh at padl.com
Tue Aug 4 14:11:38 EDT 2009
http://tools.ietf.org/html/draft-ietf-kitten-gssapi-naming-exts-05
On 04/08/2009, at 8:05 PM, Natalie Li wrote:
> Luke,
>
> Could you please send out a pointer to the GSS naming extensions
> draft?
>
> Thanks,
>
> Natalie
>
> Luke Howard wrote:
>>
>>
>>> Yeah, it took me a while to realise that that was I had always done.
>>> But yes, we should do what Sam suggests for 1.8.
>>
>> So: Sam's suggestion is to expose the verified PAC via the recently
>> published GSS naming extensions draft. This sounds reasonable to me.
>>
>> Love: did Heimdal always verify the PAC in
>> gss_accept_sec_context()? This is an issue for MIT, because 1.7 we
>> shipped APIs for extracting authorisation data. An application
>> unaware of which GSS-API implementation it is using cannot be sure
>> whether the PAC was verified after calling gss_accept_sec_context().
>>
>> regards,
>>
>> -- Luke
>
--
www.padl.com | www.fghr.net
More information about the krbdev
mailing list