[kitten] Verified authorization data
Peter Mogensen
apm at one.com
Thu Jun 12 03:12:12 EDT 2014
On 2014-06-11 19:08, Simo Sorce wrote:
>> Still... the whole EncTicketPart has to be constructed and DER-encoded
>> twice to add a kdc-verifier.
>
> That is done to bind the CAMMAC to a specific ticket, it is an
> additional protection that you probably want for your use case too.
Sure... any solution to the S4U2proxy use case would require protecting
the ticket and attached authdata, which the KDC has to trust against
service tampering.
As the cammac draft says:
"...assuring the KDC that a malicious service has not substituted a
mismatched CAMMAC received from another ticket."
But if the kdc-verifier was placed out side the EncTicketPart, then that
would also provide that protection and not require computing the ticket
twice - right?
/Peter
More information about the krbdev
mailing list