[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HDB layer ideas

For XAD, we used Love's proposal for HDB extensions (omissions for

hdb-ext ::= CHOICE {
        pkinit-acl[0]   hdb-ext-pkinit-acl,
        pkinit-cert[1]  hdb-ext-pkinit-certificate,

hdb-extension ::= SEQUENCE {
        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
                                        --   if not the whole entry must
                                        --   be rejected
        data[1]         hdb-ext

hdb-extensions ::= SEQUENCE OF hdb-extension

hdb-entry ::= SEQUENCE {
        principal[0]    Principal  OPTIONAL, -- this is optional only
                                             -- for compatibility with libkrb5
        extensions[13]  hdb-extensions OPTIONAL,

The only problem with this solution is that it doesn't deal well with
types that can't be represented in ASN.1, or that need to be defined
at runtime (eg. by a loadable HDB module).

There might be some interesting solutions to this, I'll have to think
some more...

-- Luke