[39574] in Kerberos
Re: Golang GSSAPI spec
daemon@ATHENA.MIT.EDU (Michael B Allen)
Sun Oct 26 20:50:25 2025
MIME-Version: 1.0
In-Reply-To: <3246238c-d4e2-4a72-a4fd-855ec9cfdbee@innomotics.com>
From: Michael B Allen <ioplex@gmail.com>
Date: Sun, 26 Oct 2025 20:50:00 -0400
Message-ID: <CAGMFw4gxBb+AZc3RE0s5YhDB55EE2O1bqbqsxGJ3eJ3YH-9Yag@mail.gmail.com>
To: "Osipov, Michael (IN IT IN)" <michael.osipov@innomotics.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Fri, Oct 24, 2025 at 4:15 AM Osipov, Michael (IN IT IN) via Kerberos <
kerberos@mit.edu> wrote:
> Java's ticket cache is pure memory which means pure crap. I need to
> change and fiddle with the Subject between threads in a thread pool
> executor while MIT Kerberos does this nicely either with a file-based or
> KCM-based cache. The Java approach leads to more code or a cache
> per-thread which is slow to populate.
>
This is the biggest problem with security APIs in general and is not
specific to Java.
RFCs, drafts and implementations tend to focus on authentication and crypto
but what is equally important and almost completely overlooked is the
management of secrets, accounts and trusts.
Ideally every device should have a virtualized program that manages secrets
like plaintext, base keys, tickets, access tokens etc associated and
accounts (probably non-authoritative proxy account but could also be
authoritative local) and trusts (which implicitly covers the concepts of
realms and domains).
Programs would connect to this program over a pipe or socket, get a session
id and then let it produce / consume tokens like GSS, bearer etc and leave
the specifics of "providers" and protection of secrets up to the host
device.
Of course I'm leaving a lot out like syncing data between devices (the
achilles heel of passkeys), role mapping, ...
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
