[kitten] Token Preauth for Kerberos

Greg Hudson ghudson at MIT.EDU
Tue Jul 8 12:33:23 EDT 2014

On 07/08/2014 08:10 AM, Zheng, Kai wrote:
> How about having a new one like AD-TOKEN that contains the token derivation.

To me, this sounds like creating a container-of-anything within an
existing container-of-anything.  That is, if you see something within an
AD-TOKEN subcontainer, you don't know anything about what it is, only
something about where it came from and how it is encoded.

An advantage of the subcontainer approach is that the KDC can be fairly
dumb.  But the server application has to be correspondingly smart; if a
semantically equivalent piece of authorization data could exist in one
of several subcontainers, each with its own encoding, then it must
understand all of the different subcontainers and search within each.

More information about the krbdev mailing list