[3437] in Kerberos
Re: Kerberos and DCE
daemon@ATHENA.MIT.EDU (Joseph N. Pato)
Fri Jun 17 17:45:31 1994
Date: Fri, 17 Jun 1994 17:08:18 -0400
To: "Derrick J. Brashear" <db74+@andrew.cmu.edu>, kerberos@MIT.EDU
From: pato@apollo.hp.com (Joseph N. Pato)
At 10:24 6/17/94 -0400, Derrick J. Brashear wrote:
>Is there a suggested source for reading more about the DCE security
>server? I'm specifically interested in the difficulty involved in
>implementing the concept on PACs using the MIT K5b4 (or newer, if one
>becomes available before I have time to play with it) kdc. Is this
>possible? Am I insane? (well, yes, but am I specifically insance
>thinking this can be done?)
>
You are not insane. This can be done (and in fact is what we did to
implement the DCE starting with the MIT K5 alpha releases almost 5 years
ago.)
The best source of information is the DCE Security AES - but that hasn't
been published yet, it has completed the initial review at X/Open and is
being edited to resolve change requests. It should be available later this
year.
If you are a member of the OSF then you should be able to obtain pre-print
versions of the security AES electronically.
In the interim the DCE manual sets provide general information - but not
enough for you to implement a compatible privilege server.
I took the concept of a PAC from ECMA work (TR/46 is a reasonable
reference) and I suspect this would also exist in the PASC (Posix) security
framework document that will soon be released for ballot. The ISO security
framework drafts also have descriptions of the PAC concept. The Sesame
documents are also good sources for information on PACs. (These PACs aren't
all the same - syntactically - but the general idea is pretty common in the
various working groups)
- joe
