Simon Josefsson <[EMAIL PROTECTED]> writes: > First, let me clarify my proposal: Shishi clients open a TLS > connection to the Shishi KDC, client-authenticated with X.509 or > OpenPGP, and then sends the AP-REQ inside the TLS channel to shishid. > > If the client certificate/key map to a Kerberos principal, shishid > will send the proper AP-REP back using Kerberos NULL encryption inside > the encrypted TLS channel.
Oops, of course I meant AS-REQ and AS-REP there. For TGS-REP, it will use the TGT key, although in theory it would be possible to avoid it and send it NULL encrypted too. I don't see any advantage in that, though. /Simon _______________________________________________ Help-shishi mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-shishi
