On Monday, February 14, 2005 01:34:20 PM -0800 Seema Malkani <[EMAIL PROTECTED]> wrote:
Maybe the next Kerberos clarifications should clarify this particular scenario.
A large part of the problem here is that KRB-ERROR does not actually have a complete extension mechanism. It has e-data, which is a single octet string whose meaning is implementation-defined except in the specific case of KDC_ERR_PREAUTH_REQUIRED, in which case it is a sequence of PA-DATA.
The next Kerberos specification will likely clean this up considerably, with a well-defined extension mechanism similar to those provided by PA-DATA and AUTHORIZATION-DATA. For example, take a look at section 9 of
draft-ietf-krb-wg-rfc1510ter-00.txt (very much still a work in progress).
RFC1510bis (draft-ietf-krb-wg-kerberos-clarifications-07.txt) has been approved by the IESG and is in the RFC Editor's queue awaiting publication. Aside from copy-editing performed during the publication process, this document is not expected to change again. If you would like to see additional text in RFC1510ter clarifying the handling of cases where the client sends the wrong preauth type, I'd suggest you make a proposal to that effect on the IETF Kerberos Working Group mailing list, <ietf-krb-wg@anl.gov>.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
