Ops feedback notes 2015-03-03
Recent vulns? How far back?
- Some go back a long way, but the advisory should be clear about that.
Tom has an example on his keyinfo branch in GitHub. Should we use symbolic vs numeric for thing like enctypes? Seems to be a preference for short symbolic names.
Some use cases include ensuring that policies are adhered to. Some sites have front end services that do enhanced policy enforcement. Direct use of kadmin, etc. can bypass these policies, so having a way to check by parsing a dumpfile would be nice.
Formats? XML? comma-separated? colon-separated?
For bitfields, do we output all settings, or just the ones that are set? Auditors probably want to be able to see every defined flag regardless of whether it is set. Some question of what to do with new flags that get defined. (Some of this only matters for dump/edit/load capability.)
Different flavors of dump? Maybe one that includes the key data? Sometimes auditors want to run password crackers on the keys. Might also be useful to do a dump/edit/load process. (We will probably focus on a reporting format first.)
Some interest in dump formats that make it easier to use traditional Unix tools like grep, awk, etc. Tab-separated might