[4425] in Kerberos
Re: Krb5B43 <-> DCE security ?
daemon@ATHENA.MIT.EDU (Joseph N. Pato)
Tue Jan 3 12:49:35 1995
Date: Tue, 3 Jan 1995 12:22:57 -0500
To: gwb@yorick.umd.edu (George Baltz), doyle@scratchy.oec.com
From: pato@apollo.hp.com (Joseph N. Pato)
Cc: kerberos@MIT.EDU
Here is a message I sent to the krb5-bugs list on this topic.
>X-Sender: pato@pop-e5.ch.apollo.hp.com
>Mime-Version: 1.0
>Date: Tue, 3 Jan 1995 10:55:26 -0500
>To: "George W. Baltz" <gwb@holmes.umd.edu>
>From: pato@apollo.hp.com (Joseph N. Pato)
>Subject: Re: krb5 vs. DCE
>Cc: krb5-bugs@MIT.EDU, gwb@umd5.umd.edu
>
>At 10:36 12/28/94, George W. Baltz wrote:
>>Believing the FAQ, I tried to run some krb5 clients against our (test) DCE
>>servers, with less than spectacular results. kinit did connect to the server,
>>but gave up with ASN.1 missing field errors.
>>
>>Problem: no code in krb5 for ASN.1 'constructed indefinite' fields, which the
>>DCE security server uses. (Probably means they don't have to build messages
>>backwards :-) .)
>>
>
>The FAQ was correct at the time it was last released. The ASN.1 encoding
>code changed in the latest beta patch from MIT and stopped supporting both
>BER and DER encodings. The older version of DCE (currently shipped
>products) were improperly generating the indefinite fields. Newer DCE code
>will generate the proper sequences and accept either. The MIT code used to
>generate the proper encoding and accept either, but when the ISODE based
>code was replaced with hand rolled marshalling code, this feature was lost.
>
>Thanks for your restoring this capability.
>
> - Joe Pato
> Hewlett-Packard Co.
> pato@ch.hp.com
> +1 (508) 436-4350; FAX +1 (508) 436-5140
