Hi, Directory Developers,
0.5 Development Update
======================
I am starting some updates to the Kerberos protocol on 0.5. I will be
loading this same info into JIRA on a roadmap.
0.5.1 will be entirely clean-up, mostly in preparation for cross-realm
operation, aka "trust relationships," and 0.5.2 will be the addition of
the actual new feature "trusts."
Hot-plug of SAM Mechanisms
==========================
A side-benefit of note is that it will easier to customize processing in
0.6 and, in particular, I will be making it much easier to "hot-plug"
Kerberos pre-authentication mechanisms using OSGi by 0.8. For example,
we currently support pre-authentication by "encrypted timestamp" and
Safehaus has a verifier for OATH's HOTP standard for one-time-password
(OTP) verification, aka "single-use authentication mechanism," or SAM.
I have received requests for PKI\SmartCard support as well as commercial
vendor support such as Cryptocard and RSA Security. Of course, being
proprietary, I won't be adding the latter at Apache; I simply wish to
let everyone know a formal mechanism for doing this more easily is in
the works and that we'd love to see commercial vendor adoption.
Additionally, work is underway at OATH for a time-based HOTP variant
(current HOTP is counter-based) and I expect Safehaus will quickly
support that, as well.
0.5.1
=====
- formatting updates to kerberos-protocol and kerberos-common leftover
from the original grant
- refactor kerberos-protocol to chain (affects kerberos-common, too)
- addition of pre-authentication sub-chain
- documentation of the steps in the chain and pre-auth sub-chain
- MINA to 0.7.3
- add some missing toString()'s to improve logging
(org.apache.kerberos.messages.value.HostAddresses,
org.apache.kerberos.crypto.encryption.EncryptionType,
org.apache.kerberos.messages.value.KerberosTime)
- rename some "misnomered" key values (eg. kdc.default.port to kdc.port)
- replace HostAddress with InternetAddress
0.5.2
=====
- trusts per RFC 4120
Enrique
