[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [patch] miscellaneous mechglue stuff

On Mon, 2006-05-08 at 00:39 -0500, Nicolas Williams wrote:
> On Mon, May 08, 2006 at 10:29:57AM +1000, Luke Howard wrote:
> > 
> > >The best thing would be to advocate gss_krb5_inquire_sec_context_by_oid w/
> > >OIDs for the subkey and PAC [1] w/ support in MIT and stock Heimdal.
> > 
> > For accessing the PAC, we will probably move to store the authorization
> > data inside a gss_name_t() and provide something like gss_inquire_name_by_oid
> > rather than extracting it from the context.
> The API is already specified, albeit in an Internet-Draft -- see the
> IETF KITTEN WG page, see draft-ietf-kitten-gssapi-naming-exts-01.txt.

Would the kerberos libs do the PAC verification?  Otherwise, we need the
tgs authtime timestamp and keyblock too.

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part