Re: couple socket-connection questions

[Luke Howard <lukeh@PADL.COM>]

>hopefully you're expecting an answer from the list, b/c i'm afraid i
>don't have any commentary on the matter. my gut reaction is that one
>doesn't expect TCP connections to last too long, right? so maybe the

It would be advantageous to have some concurrency where generation of
authorization data is involved, because that may require the backend
to make complex directory service queries or potentially contact a
remote server.

>overhead is unwarranted for that reason. or are there obvious proto-
>col extensions coming down the line that would call for clients to
>require more than a few intermittent, ``stateless'' packet exchanges
>with the KDC? hmm. <tongue-in-cheek>in that case, maybe it's time to
>turn Kerberos into a ``web service'', dump the DER, dress it up in
>XML and give it a marketing makeover</tongue-in-cheek>

Well, Heimdal has supported HTTP KDC requests for a while now; see
handle_http_tcp() in kdc/connect.c. I'm not sure if anyone has ever
documented or used this. :-)

Encapsulating KDC requests in SOAP or XML-RPC, that would certainly
be interesting; I expect this could be achieved in theory by combining
IAKERB with WS-Security. But I'm digressing...

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com