Project review: response sets
Nico Williams
nico at cryptonector.com
Fri Jul 13 16:48:29 EDT 2012
On Fri, Jul 13, 2012 at 2:56 PM, Nathaniel McCallum
<npmccallum at redhat.com> wrote:
> In the case of OTP, the KDC does in fact tell the client how to validate
> the data. If we follow the proposed modifications to the response set
I see.
> interface, you will require marshaling for every plugin and every
> application. You would also have to distribute a separate library for
> every plugin's client validation. I think that the current approach is
> the simplest and the most flexible.
I do think it follows that the pre-auth plugin should do the
validation. I don't think it follows that we must use void * instead
of char *.
Would this work:
- pre-auth plugins add "questions" and validation callbacks to a set
that the library will output to the application
- the application does all the prompting, and for each answer calls
the validation callback if available
- when the answer set is complete the application provides the full
answer set in a way very similar to the cred_store API
?
Nico
--
More information about the krbdev
mailing list