krb5-1.8-beta1 is available

Tom Yu tlyu at MIT.EDU
Thu Feb 25 13:01:24 EST 2010

Marcus Watts <mdw at> writes:

> Ok.  This issue is definitely not a showstopper; you should feel
> free to release krb5-1.8.  I've managed to find the offending
> code, it's not in krb5-1.8 at all, and I now have a fixed version
> that works without incident.
> The code that was failing for me is *not* any version of mit kerberos;
> it's separate code which decodes kerberos 5 data using openssl asn.1
> logic.  The advantage is that it might catch problems that escaped your
> testing; the disadvantage is those problems might be its own problems.
> So far, it caught one problem for you, and scored one problem of its own.
> Sorry for the confusion; the tight schedule you have didn't give me much
> time to get my ducks in a row.

Ok.  Thanks for taking the time to look into it.  The independent
verification of the ASN.1 is helpful, too.

> So the main concern I have at this point is it's not clear to me whatever
> this is has good documentation, &etc.  I'm now more or less convinced
> that S4U2Self and S4U2Proxy aren't ietf draft standards, but at least
> I found .

S4U2Self and S4U2Proxy are documented by Microsoft in MSDN.
AD-SIGNEDPATH / AD-SIGNTICKET is a Heimdal extension.

None of these has an IETF document describing it at this time.

More information about the krbdev mailing list