[861] in Kerberos_V5_Development
Re: Proposed Kerberos V5 Password Changing Algorithm
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Feb 23 12:55:29 1995
Date: Thu, 23 Feb 1995 12:55:20 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: Rich Salz <rsalz@osf.org>
Cc: krbdev@MIT.EDU
In-Reply-To: Rich Salz's message of Thu, 23 Feb 95 12:16:25 -0500,
<9502231716.AA14140@sulphur.osf.org>
From: Rich Salz <rsalz@osf.org>
Date: Thu, 23 Feb 95 12:16:25 -0500
If you're going to use a new port, then it doesn't make sense to
define a binary protocol. Can't these PDU's be added as an optional
part of the existing "port 88" protocol? At least there it makes
more sense to include this kind of cheap argv-into-binary kind of thing.
I don't want it on port 88, because it's not necessarily going to be
implemented as a part of the KDC. In fact, in most cases it's going to
be a completely separate daemon.
Even for the DCE, it'll probably done as an entirely separate daemon,
based on conversations I've had with Bill Sommerfeld. (There's a reason
why the change password command includes the old password, even though
you've already authenticated to the password changing daemon.)
Also, if it were on port 88, it would have to be encoded using ASN.1,
and I'm not planning on implementing any further ASN.1 PDU's. I think
at this point it's widely recognized that used of ASN.1 in the Kerberos
V5 protocol was a mistake.
- Ted
