[17343] in Kerberos_V5_Development
Re: OTP ASN.1 encoders for 1.10
daemon@ATHENA.MIT.EDU (Nathaniel McCallum)
Mon Oct 31 10:48:28 2011
Message-ID: <1320072500.25591.3.camel@localhost>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: ghudson@mit.edu
Date: Mon, 31 Oct 2011 10:48:20 -0400
In-Reply-To: <201110310347.p9V3lRKs009395@outgoing.mit.edu>
Mime-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sun, 2011-10-30 at 23:47 -0400, ghudson@mit.edu wrote:
> For the life cycle of 1.10, the FAST OTP plugin will live outside the
> krb5 source release. This plugin needs to encode several new ASN.1
> sequences, like PA-OTP-CHALLENGE, some of which incorporate existing
> krb5 and PKINIT sequences (EncryptedData and AlgorithmIdentifier).
>
> My plan is to add the encoders to libkrb5 for 1.10, export them, and
> declare them (along with the structures) in a header k5-int-otp.h,
> akin to k5-int-pkinit.h. This header can be copied into the OTP
> plugin source (I told Linus that we'd install it, but now I think
> that's unnecessary). Adding encoders for OTP stuff shouldn't
> destabilize the 1.10 release since nothing will use them besides OTP
> plugins, so we can do it at pretty much any point during the release
> cycle.
>
> For the 1.11 release, I hope the OTP plugin can be part of the krb5
> source tree, with a pluggable interface for vendor-specific modules,
> which will render k5-int-pkinit.h moot (or a purely internal
> artifact). I also hope we can improve the ASN.1 extensibility
> situation for 1.11, but I need to do more research before I can lay
> out concrete options for that.
This would be a big help, thanks!
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
