krb5-1.8-beta1 is available
tlyu at MIT.EDU
Thu Feb 25 13:01:24 EST 2010
Marcus Watts <mdw at umich.edu> writes:
> Ok. This issue is definitely not a showstopper; you should feel
> free to release krb5-1.8. I've managed to find the offending
> code, it's not in krb5-1.8 at all, and I now have a fixed version
> that works without incident.
> The code that was failing for me is *not* any version of mit kerberos;
> it's separate code which decodes kerberos 5 data using openssl asn.1
> logic. The advantage is that it might catch problems that escaped your
> testing; the disadvantage is those problems might be its own problems.
> So far, it caught one problem for you, and scored one problem of its own.
> Sorry for the confusion; the tight schedule you have didn't give me much
> time to get my ducks in a row.
Ok. Thanks for taking the time to look into it. The independent
verification of the ASN.1 is helpful, too.
> So the main concern I have at this point is it's not clear to me whatever
> this is has good documentation, &etc. I'm now more or less convinced
> that S4U2Self and S4U2Proxy aren't ietf draft standards, but at least
> I found http://k5wiki.kerberos.org/wiki/Projects/Services4User .
S4U2Self and S4U2Proxy are documented by Microsoft in MSDN.
AD-SIGNEDPATH / AD-SIGNTICKET is a Heimdal extension.
None of these has an IETF document describing it at this time.
More information about the krbdev