Multi-round trip extension
Nico Williams
nico at cryptonector.com
Mon Sep 1 17:49:22 EDT 2014
It'd be nice if the AP / mech protocol could recover from various
failures by doing one more round-trip, such as:
- skew too great
- wrong kvno (why force users to kinit?! this is a huge pain-point for
users!)
- replay cache avoidance (server doesn't want it; challenge/response)
- replay cache false positive (if the server is using a probabilistic
rcache data structure)
Protocol-wise we just need an Authenticator flag by which the client/
initiator can tell the server that it is willing to engage in one
more round trip. The server/acceptor needs a way to indicate the
same in a KRB-ERROR (or through an extended AP-REP, maybe? when the
server can decrypt the Ticket).
Discovering HTTP/Negotiate apps that can't deal with more than one
round trip will. be. fun. We may have to exempt the HTTP service in
some cases.
Nico
--
More information about the krbdev
mailing list