Serialization framework future

[Nico Williams]

On Thu, May 31, 2012 at 2:13 PM, Sam Hartman <hartmans at mit.edu> wrote:
> I don't think the authorization data is important because it's
> inherently incomplete.
> Remember that the client never receives authorization data added by the
> KDC, only the data it requested.

Right, but the client knows what authz-data it asked to have in the
Ticket.  In theory a client could care about this.  In practice today
the clients don't.

> What's the use case here? How important is exporting acceptor creds?

Well, for RFC4121 probably not.  But there's also user2user and other
mechanisms to worry about.

Also, in the context of the GSS proxy the token may need to be
completely different, possibly having nothing more than a "name" for a
credential handle in the proxy daemon's address space and a cookie for
authorization.

> I'm trying to evaluate the tradeoff between completeness and something
> that we could standardize so you could reasonably import creds between
> two different krb5 mechanisms.

To standardize I'd really want acceptor credential support, and I
think I'd want that to not involve a serialized keytab.

But, yeah, we need to design something we can standardize, no?

Nico
--