logo_kerberos.gif

Difference between revisions of "Release Meeting Minutes/2010-02-09"

From K5Wiki
Jump to: navigation, search
(New page: Bob Relyea, Thomas Hardjono, Greg Hudson, Zhanna Tsitkova, Tom Yu, Simo Sorce, Will Fiveash, Sam Hartman Sam has fix for enc_padata issue remaining 1.8 issues -- bug reports from Likewis...)
 
Line 11: Line 11:
 
Debian bug for LDAP fd leak.
 
Debian bug for LDAP fd leak.
   
...
 
  +
Debian bug on Firefox performance doing SPNEGO -- Simo says RHAT saw Firefox doing lots of DNS when doing krb auth. Suggestion that we use plugins to talk to browser, OS DNS caching
  +
  +
;Will Fiveash: customer wants HW_AUTHENT set when getting tickets with pkinit with smart cards
  +
  +
Discussion re Level of Assurance, etc., whether IETF krb-wg would be willing to standardize such an extension. Probably, but there might be concerns about the U.S.-centric nature of such an extension.
  +
  +
;Will Fiveash: pam_krb5 with pkinit. The pkinit plugin is ignoring password argument.
  +
  +
Some debate about how to best deal with this, whether the password argument should be treated as a token PIN, how to avoid having the token lock out if the wrong token-PIN pairing occurs, etc. Sam suggests a generic interface using prompt types, etc.

Revision as of 18:02, 9 February 2010

Bob Relyea, Thomas Hardjono, Greg Hudson, Zhanna Tsitkova, Tom Yu, Simo Sorce, Will Fiveash, Sam Hartman

Sam has fix for enc_padata issue

remaining 1.8 issues -- bug reports from Likewise; kadmin history; enc_padata; ssh ticket forwarding weirdness

anonymous pkinit doc? -- some stuff, not yet in TeXinfo

Lockout is documented in kadmin policy help strings, not elsewhere yet.

Debian bug for LDAP fd leak.

Debian bug on Firefox performance doing SPNEGO -- Simo says RHAT saw Firefox doing lots of DNS when doing krb auth. Suggestion that we use plugins to talk to browser, OS DNS caching

Will Fiveash
customer wants HW_AUTHENT set when getting tickets with pkinit with smart cards

Discussion re Level of Assurance, etc., whether IETF krb-wg would be willing to standardize such an extension. Probably, but there might be concerns about the U.S.-centric nature of such an extension.

Will Fiveash
pam_krb5 with pkinit. The pkinit plugin is ignoring password argument.

Some debate about how to best deal with this, whether the password argument should be treated as a token PIN, how to avoid having the token lock out if the wrong token-PIN pairing occurs, etc. Sam suggests a generic interface using prompt types, etc.