Authentication Indicator implementation

[Jain, Anupam]

Hi,

I am working on adding a new authorization data type "Authentication Indicator" to the Kerberos tickets which indicates the strength of the authentication mechanism used by the client to connect to the network. Here is the link to the draft http://tools.ietf.org/html/draft-jain-kitten-krb-auth-indicator-00. I am trying to create a proof-of-concept implementation for this feature but I am not very familiar with the Kerberos codebase. As AD-CAMMAC has not been implemented yet, I am trying to figure out a way to add this information inside AD-KDC-ISSUED container inside the tickets which can then be propagated to the application services.

Here is what I think should be the approach. There is a function krb5_make_authdata_kdc_issued() present in the kerberos codebase which takes the sequence of auth data as input and fills out the AD-KDC-Issued structure using it. It then encodes this structure and puts it inside a new auth data structure. So I can probably include this auth data structure inside the tickets. There are functions process_as_req() and finish_process_as_req() which create the AS response. A part of the AS response is the ticket which contains the authorization data. So I can insert the authorization data received by encoding AD-KDC-Issued structure inside this authorization data field which can then be propagated to the application services. I am not sure if this is the correct way to go about it.
Any help/comments/suggestions would be greatly appreciated.