Project review: response sets

Nico Williams nico at
Fri Jul 13 16:48:29 EDT 2012

On Fri, Jul 13, 2012 at 2:56 PM, Nathaniel McCallum
<npmccallum at> wrote:
> In the case of OTP, the KDC does in fact tell the client how to validate
> the data. If we follow the proposed modifications to the response set

I see.

> interface, you will require marshaling for every plugin and every
> application. You would also have to distribute a separate library for
> every plugin's client validation. I think that the current approach is
> the simplest and the most flexible.

I do think it follows that the pre-auth plugin should do the
validation.  I don't think it follows that we must use void * instead
of char *.

Would this work:

 - pre-auth plugins add "questions" and validation callbacks to a set
that the library will output to the application
 - the application does all the prompting, and for each answer calls
the validation callback if available
 - when the answer set is complete the application provides the full
answer set in a way very similar to the cred_store API



More information about the krbdev mailing list