logo_kerberos.gif

Ops feedback notes 2014-10-07

From K5Wiki
Revision as of 16:55, 8 October 2014 by TomYu (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


There were requests for notes from the in-person ops forum from September.

SHA-2 enctypes

There might be policy or regulatory reasons that sites will want to migrate away from SHA-1, even if the uses in symmetric Kerberos crypto are safe due to HMAC. There is a KITTEN WG draft (nearing completion) for Suite B enctypes in Kerberos, which uses SHA-2 hashes. Non-specialists often only hear "SHA-1 is bad" and lack background to understand why its use in Kerberos is safe.

Web auth

...to be transcribed...

Feature requests

Improvements to iprop (Richard Basch), e.g., notify-style protocol flow to decrease latency. There is some other interest in that as well. Setups exist where the master typically doesn't get ticket requests, so anything to decrease the propagation latency helps.

Reporting features (special query-friendly dump file format). Tom will outline some designs soon.

Policy updates through iprop. Already happens post-1.12 by forcing a full dump, but we can make it better.

Personal tools