[Ietf-krb-wg] FAST, errors and e-data
Sam Hartman <hartmans-ietf@mit.edu> Mon, 02 March 2009 23:21 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A817528C2BE for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 2 Mar 2009 15:21:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[AWL=-0.489, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFL+hma-FIIT for <ietfarch-krb-wg-archive@core3.amsl.com>; Mon, 2 Mar 2009 15:21:01 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id A4CBB28C2AB for <krb-wg-archive@lists.ietf.org>; Mon, 2 Mar 2009 15:21:01 -0800 (PST)
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 8FBE631; Mon, 2 Mar 2009 17:21:27 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id EADC617; Mon, 2 Mar 2009 17:21:25 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id CACB980DE7; Mon, 2 Mar 2009 17:21:25 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 7350880D9E for <ietf-krb-wg@lists.anl.gov>; Mon, 2 Mar 2009 17:21:24 -0600 (CST)
Received: by mailhost.anl.gov (Postfix) id 648E2D; Mon, 2 Mar 2009 17:21:24 -0600 (CST)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 4130217 for <ietf-krb-wg@anl.gov>; Mon, 2 Mar 2009 17:21:24 -0600 (CST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 30432D for <ietf-krb-wg@anl.gov>; Mon, 2 Mar 2009 17:21:24 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 10A6E7CC064; Mon, 2 Mar 2009 17:21:24 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17717-03; Mon, 2 Mar 2009 17:21:23 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id E68BD7CC05A for <ietf-krb-wg@anl.gov>; Mon, 2 Mar 2009 17:21:23 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkAEALX4q0lFGcSygWdsb2JhbACUcQEBFiKyEoU2iEyEGgY
X-IronPort-AV: E=Sophos;i="4.38,292,1233554400"; d="scan'208";a="24607140"
Received: from carter-zimmerman.suchdamage.org ([69.25.196.178]) by mailgateway.anl.gov with ESMTP; 02 Mar 2009 17:21:23 -0600
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 41FDE4541; Mon, 2 Mar 2009 18:21:20 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: ietf-krb-wg@anl.gov
Date: Mon, 02 Mar 2009 18:21:20 -0500
Message-ID: <tsl8wnnik9b.fsf@mit.edu>
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] FAST, errors and e-data
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
I want to bring up particularly tricky implementation issues I run into while implementing FAST, so people can evaluate them when evaluating the spec. I'm working on refactoring the KDC code for MIT Kerberos to support FAST. FAST reinterprets how KRB-ERROR's e-data field is handled. Previously, the e-data for most errors was unspecified. Some errors, especially those used by pkinit, used typed-data for error handling. Some errors, especially including preauth_required used a sequence of padata in the krb-error. It's potentially possible that some error uses e-data in some completely unknown way, but that's definitely not true for any of the standardized errors. I think what the FAST spec does makes a lot of sense, but it is tricky to implement if you have an existing plugin interface for pre-authentication. At least in MIT Kerberos, the callback responsible for verifying a padata item returns an e-data field directly to be included in the FAST response. Your fast implementation needs to somehow deal with that. Long term, we want padata plugins to return a sequence of padata to go in the error. In the short term, we're probably going to end up decoding the e-data coming out of the pre-auth plugin as either a typed-data or a padata. _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] FAST, errors and e-data Sam Hartman