[16940] in Kerberos_V5_Development
Re: Authdata, preauth plugin headers
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Jun 27 07:40:32 2011
From: Sam Hartman <hartmans@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Date: Mon, 27 Jun 2011 07:40:23 -0400
In-Reply-To: <1307636759.2281.149.camel@t410> (Greg Hudson's message of "Thu,
09 Jun 2011 12:25:59 -0400")
Message-ID: <tslaad3zemw.fsf@mit.edu>
MIME-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Greg" == Greg Hudson <ghudson@MIT.EDU> writes:
Greg> 1. Use the new plugin framework. Doing this will make it
Greg> easier to make backward-compatible extensions to the interface
Greg> in the future. We'll need to add some kind of
Greg> auto-registration mechanism for pkinit, to avoid adding to the
Greg> configuration necessary to get it working.
Why won't future mechanisms need this auto-registration?
Why do we want to make them harder.
Greg> 5. Maybe change to how error data is generated. I'll need
Greg> Sam's input here. Currently, plugins produce an arbitrary
Greg> blob of e-data to be placed in errors. FAST requires preauth
Greg> mechanism error data to be padata. PKINIT specifies that its
Greg> errors come packaged as typed-data, which walks and talks like
Greg> padata but has a different ASN.1 tag. What we do right now is
Greg> try to decode the e-data as padata, then try to decode it as
Greg> typed-data and convert for FAST. Maybe there's a way we can
Greg> do better, although I'm not really sure how.
For everything I'm familiar with, you can return errors as padata and
provide a flag requesting conversion to typed data for some non-fast
mechanisms.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
