Release Meeting Minutes/2011-12-06
Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu
- Talked to Linux re OTP plugin. Red Hat will have an out-of-tree ASN.1 encoder. Later hopefully in-tree. Tried to incorporate encoders into our tree for 1.10. ASN1C for plugin. Linus didn't like. (Would have to be reworked anyway though.) Implicit tags in module definition so test vectors didn't match. Our (in-tree) table-driven encoder written with assumption that tags are explicit. OTP module to use ASN1C for encoders. Nathaniel might not like the duplicated work post-1.10.
- Was hoping to make RPC update a higher priority.
- GSS proxy would mostly need XDR, not an updated RPC.
- Linux NFS people will want good async performance.
[ We can defer the RPC lib upgrade until after initial gss proxy stuff. ]
- Trying to move away from traditional delegation and instead do S4U2proxy. Better control over security policy. mod_auth_kerb... needed GSS_C_BOTH. init_sec_context can't init the proxy service ccache itself; need cron job to make. Minor patch to mod_auth_kerb. Need config switch (so it will be optional for upstream). Library doesn't store the end service ticket it gets from constrained delegation.
- Luke had comments. (1) not grow without bound (2) expired creds. [ Neither really makes sense... ] Will change trunk to address. Probably only to 1.11.
- New meaning for on-disk proxy credentials is a feature change.
- Interaction with MS-PAC. Right keys not in right place in validate.
- Will relax pac_verify so it takes null service key. (Luke thinks this is OK.)