logo_kerberos.gif

Difference between revisions of "Release 1.10"

From K5Wiki
Jump to: navigation, search
(Timeline)
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:
   
 
* Oct. 2011 -- make release branch
 
* Oct. 2011 -- make release branch
* Dec. 2011 -- final release
+
* Jan. 2012 -- final release
   
== Goals ==
+
== Code quality ==
   
  +
* Update the Fortuna implementation to more accurately implement the description in ''Cryptography Engineering'', and make it the default PRNG.
  +
* Add an alternative PRNG that relies on the OS native PRNG.
  +
  +
== Developer experience ==
  +
  +
* Add the ability for GSSAPI servers to use any keytab key for a specified service, if the server specifies a host-based name with no hostname component.
 
* Kernel / user split (for NFS, etc.): Add build infrastructure demonstrating and testing a message-processing subset of the gss-krb5 mechanism suitable for kernel filesystems.
 
* Kernel / user split (for NFS, etc.): Add build infrastructure demonstrating and testing a message-processing subset of the gss-krb5 mechanism suitable for kernel filesystems.
* Localization: Create infrastructure for localization of client user interface messages using gettext.
 
  +
* Allow rd_safe and rd_priv to ignore the remote address.
* Improve API documentation: Create documentation for the libkrb5 API.
 
  +
* Rework KDC and kadmind networking code to use an event loop architecture.
* Selective refactoring of KDC (to support libKDC etc.): Reorganize parts of the KDC code for improved modularity and maintainability.
 
 
* Pluggable configuration back-end: Allow applications and integrators to override krb5.conf as the source of krb5 configuration data.
 
* Pluggable configuration back-end: Allow applications and integrators to override krb5.conf as the source of krb5 configuration data.
  +
  +
== End-user experience ==
 
* Localization: Create infrastructure for localization of client user interface messages using gettext.
 
* Credential selection: Add a facility to select between credentials for different Kerberos identities based on the service being contacted. (This will be confirmed).
 
* Credential selection: Add a facility to select between credentials for different Kerberos identities based on the service being contacted. (This will be confirmed).
  +
  +
== Administrator experience ==
  +
  +
* Add more complete support for renaming principals.
  +
* Add the profile variable ignore_acceptor_hostname in libdefaults. If set, GSSAPI will ignore the hostname component of acceptor names supplied by the server, allowing any keytab key matching the service to be used.
  +
* Add support for string attributes on principal entries.
  +
* Allow password changes to work over NATs.
  +
  +
== Protocol evolution ==
  +
 
* Referrals: Finish implementation following IETF updates.
 
* Referrals: Finish implementation following IETF updates.
 
* PKINIT hash agility: Allow PKINIT to use newer hash algorithms than SHA-1.
 
* PKINIT hash agility: Allow PKINIT to use newer hash algorithms than SHA-1.

Latest revision as of 17:55, 27 January 2012

Timeline

This is only an approximate timeline.

  • Oct. 2011 -- make release branch
  • Jan. 2012 -- final release

Code quality

  • Update the Fortuna implementation to more accurately implement the description in Cryptography Engineering, and make it the default PRNG.
  • Add an alternative PRNG that relies on the OS native PRNG.

Developer experience

  • Add the ability for GSSAPI servers to use any keytab key for a specified service, if the server specifies a host-based name with no hostname component.
  • Kernel / user split (for NFS, etc.): Add build infrastructure demonstrating and testing a message-processing subset of the gss-krb5 mechanism suitable for kernel filesystems.
  • Allow rd_safe and rd_priv to ignore the remote address.
  • Rework KDC and kadmind networking code to use an event loop architecture.
  • Pluggable configuration back-end: Allow applications and integrators to override krb5.conf as the source of krb5 configuration data.

End-user experience

  • Localization: Create infrastructure for localization of client user interface messages using gettext.
  • Credential selection: Add a facility to select between credentials for different Kerberos identities based on the service being contacted. (This will be confirmed).

Administrator experience

  • Add more complete support for renaming principals.
  • Add the profile variable ignore_acceptor_hostname in libdefaults. If set, GSSAPI will ignore the hostname component of acceptor names supplied by the server, allowing any keytab key matching the service to be used.
  • Add support for string attributes on principal entries.
  • Allow password changes to work over NATs.

Protocol evolution

  • Referrals: Finish implementation following IETF updates.
  • PKINIT hash agility: Allow PKINIT to use newer hash algorithms than SHA-1.