logo_kerberos.gif

Release Meeting Minutes/2011-12-06

From K5Wiki
Jump to: navigation, search


Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu

OTP

Greg
Talked to Linux re OTP plugin. Red Hat will have an out-of-tree ASN.1 encoder. Later hopefully in-tree. Tried to incorporate encoders into our tree for 1.10. ASN1C for plugin. Linus didn't like. (Would have to be reworked anyway though.) Implicit tags in module definition so test vectors didn't match. Our (in-tree) table-driven encoder written with assumption that tags are explicit. OTP module to use ASN1C for encoders. Nathaniel might not like the duplicated work post-1.10.
Tom
Was hoping to make RPC update a higher priority.
Greg
GSS proxy would mostly need XDR, not an updated RPC.
Tom
Linux NFS people will want good async performance.

[ We can defer the RPC lib upgrade until after initial gss proxy stuff. ]

S4U2proxy

Simo
Trying to move away from traditional delegation and instead do S4U2proxy. Better control over security policy. mod_auth_kerb... needed GSS_C_BOTH. init_sec_context can't init the proxy service ccache itself; need cron job to make. Minor patch to mod_auth_kerb. Need config switch (so it will be optional for upstream). Library doesn't store the end service ticket it gets from constrained delegation.
Greg
Luke had comments. (1) not grow without bound (2) expired creds. [ Neither really makes sense... ] Will change trunk to address. Probably only to 1.11.
Tom
New meaning for on-disk proxy credentials is a feature change.

PAC validation

Simo
Interaction with MS-PAC. Right keys not in right place in validate.
Greg
Will relax pac_verify so it takes null service key. (Luke thinks this is OK.)