[kitten] Token Preauth for Kerberos
kaduk at MIT.EDU
Wed Jul 9 10:17:52 EDT 2014
On Tue, 8 Jul 2014, Zheng, Kai wrote:
> Hi Creg,
>> this sounds like creating a container-of-anything within an existing container-of-anything. That is, if you see something within an AD-TOKEN subcontainer, you don't know anything about what it is, only something about where it came from and how it is encoded.
> Hmmm, not exactly as what I mean. It's container-of-exactly-token within
> the existing container-of-anything (AD-KDC-ISSUED). Looking at AD-TOKEN
> subcontainer, applications are meant to get a token from it, as AD-TOKEN
> could be defined as:
AD-TOKEN is a "container of anything" not in the sense of the ASN.1 data
type, but rather that the JWT token therein could contain any sort of
information about the user making the request, restrictions placed on the
token, and so on. (Almost) any sort of information could be in the
AD-TOKEN, even if only a single data type is permitted.
More information about the krbdev