[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos Feature Request



>Jeffrey Altman objects that I want an API, not an RFC, so IETF 
>shouldn't be involved, but I think the example I just gave would be 
>an RFC.  I'm trying to limit my care-about's though.  I just want a 
>general way to make use of the feature, which is currently pretty 
>inaccessible.

I guess I don't understand why you need an RFC.  From a protocol
standpoint (the main point of interest of the IETF), the work has, from
my perspective, already been done.  How you transmit authorization data
is completely defined within the protocol.  (And I will echo others:
you should really read the clarifications document for the most current
information on the handling of authorization data within the Kerberos
protocol).

Now, currently the authorization data is what you call "pretty
inaccessible".  If you're speaking in terms of the GSSAPI, I would
agree.  However, if you are using the MIT krb5 API, then I wouldn't
agree, because you can get access to the authorization data on
application servers via the MIT krb5 API (which is what you really
care about from an application server perspective).  You can utilize
this API feature no matter who's KDC you are using.

Now, it's true that currently an MIT KDC has no way of inserting
authorization data into service tickets.  That, however, is purely an
_implementation_ issue.  You could add such code today, and it wouldn't
require a protocol change at all.  Where you get the authorization data
from is completely up to you; the _protocol_ doesn't care, and the
Kerberos RFC shouldn't require any modification.  This is, of course,
assuming that I'm understanding what you're asking for.

--Ken