logo_kerberos.gif

Release Meeting Minutes/2013-02-12

From K5Wiki
Jump to: navigation, search


David Benjamin, Thomas Hardjono, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Tom Yu

Greg
Started work on auth_to_local interface. Want to fix some existing behavior. Can't distinguish different realms. Also a problem when using regex-based rules.
Greg
Probably will leave things alone in case someone depends on it, and document behavior.
Tom
git.mit.edu firewalled from off-campus soon.

Some discussion about CAMMAC. What purpose does a KDC MAC serve? Detached verification? Some people (Sam?) are skeptical about detached verification. Do we want something like ad-signedpath? What bits to sign?

Tom
S4U2Proxy -- CAMMAC as it currently exists is probably good enough to allow supporting it in the future. (e.g., could define a new authorization data type that MACs most of the content of the ticket, and put that in the CAMMAC.) So what is the minimum binding component?
Simo
cname, authtime, endtime -- to support detached verification.
Tom
Do you actually need detached verification?
Simo
Can probably use GSS proxy, but would like the option if needed in the future.
Tom
Will get text to you later this week.