logo_kerberos.gif

Release Meeting Minutes/2011-03-01

From K5Wiki
Jump to: navigation, search


Greg Hudson, Tom Yu, Zhanna Tsitkova, Sam Hartman, Will Fiveash, Simo Sorce

[some crypto backend discussion]

Anonymous pkinit

Sam
Spec won't change. (probably) Should be easy to add KDC support (for accepting both wrong and right forms). Client side is not so clear.
Greg
Don't like the retry approach (latency etc.). Look for announcement.
Sam
At some point drop old behavior. It's a CMS thing (not part of our ASN.1 code). Code would actually have been cleaner if I'd dont it correctly. Probably not going to be that gross. On the client, might cause problems with robustness... signing path vs anonymous path are undifferentiated for longer. Will try to get to it after IETF.
Greg
KDC fix is more valuable.

[debate about adding knobs for testing]

DNS stuff

Greg
Config option for turning on (hierarchical) walk_rtree might be wrong. KDC has implemented capaths for a long time. Heimdal has no realm walk (on the client). Their KDC does (or maybe it forces explicit capaths). Will probably just disable hierarchical walk_rtree.

Trust KDC-local name resolution

Sam
[referrals draft stuff] Would be easy to put in Love's flag "trust me for local aliasing".
Greg
Ticket flag, maybe per-realm (client config) option for "trust KDC for name resolution"

Sam mentions enc-padata stuff (from referrals draft)

Greg agrees with Sam. Also, changing rdns default might be very painful?

Sam
athena.dialup might break (DNS round robin type situation).
Greg
It's a general issue with distributed services. Shared principals mean you have to share replay caches, etc. Does GS2 have issues with replay resistance?
Sam
It's important if you use CFX. Channel bindings. If using endpoint channel bindings, you really want to use DCE-style (3-legged). Otherwose, unique channel bindings might be safe.
Greg
Heimdal does no rdns; they do AI_CANONNAME.
Tom
So they have the forward DNS problem too...
Sam
gethostbyname or getaddrinfo on Solaris or Ultrix wouldn't give you the canonical name if you gave it an alias.

[Tom to propose "trust KDC for aliases" flag type thing]