Serialization framework future
Nico Williams
nico at cryptonector.com
Thu May 31 12:04:48 EDT 2012
On Thu, May 31, 2012 at 10:48 AM, Greg Hudson <ghudson at mit.edu> wrote:
> The larger picture is that I need to serialize a GSS cred, which might
> be an acceptor or initiator cred or both. So the actual token format
> will be some combination of a ccache, a keytab, a krb5 GSS name, and
> maybe some other metadata (like the state set by
> gss_krb5_set_allowable_enctypes). ccaches and keytabs will likely be
> marshalled by name except for memory ccaches (and maybe memory keytabs,
> but those are rarely seen in the wild).
Yeah, I pointed that out too, but there's more structure than I
thought. You need something like this:
Exported-Cred ::= SEQUENCE {
desired-principal OCTET STRING, -- containing an exported name token
initiator-creds SEQUENCE OF OCTET STRING, -- containing KRB-CREDs
acceptor-creds SEQUENCE OF KeytabEntries
}
Doesn't have to be ASN.1/DER. KRB-CRED is tempting for code and
specification reuse reasons, but as I mentioned, it's missing
authz-data, which may be a problem.
Nico
--
More information about the krbdev
mailing list