Multi-round trip extension

Nico Williams nico at
Mon Sep 1 17:49:22 EDT 2014

It'd be nice if the AP / mech protocol could recover from various
failures by doing one more round-trip, such as:

 - skew too great

 - wrong kvno (why force users to kinit?! this is a huge pain-point for

 - replay cache avoidance (server doesn't want it; challenge/response)

 - replay cache false positive (if the server is using a probabilistic
   rcache data structure)

Protocol-wise we just need an Authenticator flag by which the client/
initiator can tell the server that it is willing to engage in one
more round trip.  The server/acceptor needs a way to indicate the
same in a KRB-ERROR (or through an extended AP-REP, maybe? when the
server can decrypt the Ticket).

Discovering HTTP/Negotiate apps that can't deal with more than one
round trip will. be. fun.  We may have to exempt the HTTP service in
some cases.


More information about the krbdev mailing list