OTP ASN.1 encoders for 1.10

ghudson@MIT.EDU ghudson at MIT.EDU
Sun Oct 30 23:47:27 EDT 2011

For the life cycle of 1.10, the FAST OTP plugin will live outside the
krb5 source release.  This plugin needs to encode several new ASN.1
sequences, like PA-OTP-CHALLENGE, some of which incorporate existing
krb5 and PKINIT sequences (EncryptedData and AlgorithmIdentifier).

My plan is to add the encoders to libkrb5 for 1.10, export them, and
declare them (along with the structures) in a header k5-int-otp.h,
akin to k5-int-pkinit.h.  This header can be copied into the OTP
plugin source (I told Linus that we'd install it, but now I think
that's unnecessary).  Adding encoders for OTP stuff shouldn't
destabilize the 1.10 release since nothing will use them besides OTP
plugins, so we can do it at pretty much any point during the release

For the 1.11 release, I hope the OTP plugin can be part of the krb5
source tree, with a pluggable interface for vendor-specific modules,
which will render k5-int-pkinit.h moot (or a purely internal
artifact).  I also hope we can improve the ASN.1 extensibility
situation for 1.11, but I need to do more research before I can lay
out concrete options for that.

More information about the krbdev mailing list