[kitten] Verified authorization data
Peter Mogensen
apm at one.com
Wed Jun 11 13:02:46 EDT 2014
On 2014-06-11 18:17, Simo Sorce wrote:
> On Wed, 2014-06-11 at 14:20 +0200, Peter Mogensen wrote:
>> The solution in AD-CAMMAC seems very complex too, requiring
>> effectively calculating the entire EncTicketPart twice - and once for
>> every present AD-CAMMAC present.
>
> I am confused about this statement. The AD-CAMMAC draft specifies that
> it contains a sequence of AD elements, that means you have only 1
> AD-CAMMAC for all the AD data you want to protect. You check the whole
> thing only once.
I were not sure whether you could rule out any use case requiring
merging of 2 AD-CAMMAC elements with - say - different other-verifier
checksums for which the KDC didn't have all the keys.
But I guess that since other-verifier restricts the principals to be in
the KDC realm, that could not happen.
Still... the whole EncTicketPart has to be constructed and DER-encoded
twice to add a kdc-verifier.
/Peter
More information about the krbdev
mailing list