[kitten] Token Preauth for Kerberos

Benjamin Kaduk kaduk at MIT.EDU
Wed Jul 9 10:17:52 EDT 2014

On Tue, 8 Jul 2014, Zheng, Kai wrote:

> Hi Creg,
>> this sounds like creating a container-of-anything within an existing container-of-anything.  That is, if you see something within an AD-TOKEN subcontainer, you don't know anything about what it is, only something about where it came from and how it is encoded.
> Hmmm, not exactly as what I mean. It's container-of-exactly-token within 
> the existing container-of-anything (AD-KDC-ISSUED). Looking at AD-TOKEN 
> subcontainer, applications are meant to get a token from it, as AD-TOKEN 
> could be defined as:

AD-TOKEN is a "container of anything" not in the sense of the ASN.1 data 
type, but rather that the JWT token therein could contain any sort of 
information about the user making the request, restrictions placed on the 
token, and so on.  (Almost) any sort of information could be in the 
AD-TOKEN, even if only a single data type is permitted.


More information about the krbdev mailing list