OTP ASN.1 encoders for 1.10

Nathaniel McCallum npmccallum at redhat.com
Mon Oct 31 10:48:20 EDT 2011

On Sun, 2011-10-30 at 23:47 -0400, ghudson at mit.edu wrote:
> For the life cycle of 1.10, the FAST OTP plugin will live outside the
> krb5 source release.  This plugin needs to encode several new ASN.1
> sequences, like PA-OTP-CHALLENGE, some of which incorporate existing
> krb5 and PKINIT sequences (EncryptedData and AlgorithmIdentifier).
> My plan is to add the encoders to libkrb5 for 1.10, export them, and
> declare them (along with the structures) in a header k5-int-otp.h,
> akin to k5-int-pkinit.h.  This header can be copied into the OTP
> plugin source (I told Linus that we'd install it, but now I think
> that's unnecessary).  Adding encoders for OTP stuff shouldn't
> destabilize the 1.10 release since nothing will use them besides OTP
> plugins, so we can do it at pretty much any point during the release
> cycle.
> For the 1.11 release, I hope the OTP plugin can be part of the krb5
> source tree, with a pluggable interface for vendor-specific modules,
> which will render k5-int-pkinit.h moot (or a purely internal
> artifact).  I also hope we can improve the ASN.1 extensibility
> situation for 1.11, but I need to do more research before I can lay
> out concrete options for that.

This would be a big help, thanks!

More information about the krbdev mailing list