[kitten] Verified authorization data
Simo Sorce
simo at redhat.com
Wed Jun 11 13:08:10 EDT 2014
On Wed, 2014-06-11 at 19:02 +0200, Peter Mogensen wrote:
> On 2014-06-11 18:17, Simo Sorce wrote:
> > On Wed, 2014-06-11 at 14:20 +0200, Peter Mogensen wrote:
> >> The solution in AD-CAMMAC seems very complex too, requiring
> >> effectively calculating the entire EncTicketPart twice - and once for
> >> every present AD-CAMMAC present.
> >
> > I am confused about this statement. The AD-CAMMAC draft specifies that
> > it contains a sequence of AD elements, that means you have only 1
> > AD-CAMMAC for all the AD data you want to protect. You check the whole
> > thing only once.
>
>
> I were not sure whether you could rule out any use case requiring
> merging of 2 AD-CAMMAC elements with - say - different other-verifier
> checksums for which the KDC didn't have all the keys.
> But I guess that since other-verifier restricts the principals to be in
> the KDC realm, that could not happen.
>
> Still... the whole EncTicketPart has to be constructed and DER-encoded
> twice to add a kdc-verifier.
That is done to bind the CAMMAC to a specific ticket, it is an
additional protection that you probably want for your use case too.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list