logo_kerberos.gif

Roadmap (completed items)

From K5Wiki
Revision as of 14:35, 31 August 2015 by TomYu (talk | contribs) (New page: These roadmap items have been completed. This is not an exhaustive list. Items will remain here until they have been cross-checked as being listed in the relevant release notes, at w...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

These roadmap items have been completed. This is not an exhaustive list. Items will remain here until they have been cross-checked as being listed in the relevant release notes, at which time they will be removed.

Code quality

  • Remove krb4 (1.7)
  • Move applications to separate distribution (1.8)
  • Use safer library functions
    • Avoids false positives
    • Avoids need to (probably manually) evaluate "unsafe" calls
    • Stop using strcpy, strcat, sprintf, etc.
      • Mostly done
      • New internal APIs for complex operations
  • Reduce commitment to "difficult" platforms
  • Move toward test-driven development
    • Python-based test framework (1.9)

Developer experience

  • GSS-API mechglue changes to enable NTLM support (1.7)
  • Crypto modularity (1.8)
    • Native (accelerated) crypto API support
    • Performance optimizations (caching, etc.)
    • New API design for encryption performance (1.8)
  • "The Great Reindent" (1.8)
  • Plugins
    • PRNG (1.9)
    • Profile / configuration (1.10)
  • Subsets
    • GSS-API: separate context establishment from message protection functions, e.g. Solaris user/kernel space split (1.10)

End-user experience

  • Referrals (1.7)
  • Localization (1.10)

Administrator experience

  • Incremental propagation (1.7)
  • Master key rollover (1.7)
  • Auditing support (log all ticket requests) (1.7)
  • Disable DES by default (1.8)
  • Lockout for repeated login failures (1.8)
    • Implement LHA/Apple proposal to store config information in ccache to signal when a realm supports referrals and thus the future capability to eschew reverse DNS resolution (1.8)
  • Trace logging for easier troubleshooting (1.9)
  • Plugins for password quality checks (1.9)
  • Plugins for password synchronization (1.9)
  • Print enctypes using the "input form" string (1.9)

Performance

  • New crypto API (1.8) facilitates optimizations
  • Replay cache ("rcache")
    • Collision avoidance (1.7)
  • Disable replay cache on KDC (1.9)

Protocol evolution

  • Encryption algorithm negotiation (1.7)
  • Microsoft Kerberos extensions (1.7)
  • Improved PKINIT support (1.7)
  • Anonymous PKINIT (1.8)
  • FAST (done in 1.7 for a subset; IETF)
  • FAST negotiation (1.8)
  • IAKERB (1.9)
  • Camellia (1.9)