Re: Status of draft-ietf-kitten-kerb-token-preauth-01

Thu, 07 Jan 2016 04:22:27 -0800 

Le 07/01/16 12:37, Zheng, Kai a écrit :
> Thanks for asking. Well, it's a long story and still a long term effort. Our 
> side has finished the prototype implementation of the new mechanism for the 
> MIT KDC, and in Kerby we wish to provide the reference implementation. The 
> background is, we're working on a workable solution targeted for Hadoop 
> ecosystem and Kerby (before Haox) is part of the effort for the Java client 
> side (as Hadoop is also Java). We had some initial requirements and use 
> cases, but they're far enough for the Kerberos Consortium to push it in the 
> first priority. You see, pushing something isn't easy, even we're working so 
> hard. On the other hand, the stack (Kerberos/Java/Hadoop) is so deep and the 
> involved aspects/parties are so many. So bet we won't be so lucky to put it 
> in the plate in some term soon.
Well, it's not really an isssue, as teh doc is in the project, and as
it's not used atm. I have added some reference in the class header :

/**
 * The AdToken component as defined in "Token Pre-Authentication for
Kerberos", "draft-ietf-kitten-kerb-token-preauth-01"
 * (not yet published, but stored in docs/Token-preauth.pdf) :
 *
 * <pre>
 * 6.4. AD-TOKEN
 *   The new Authorization Data Type AD-TOKEN type contains token
 *   derivation and is meant to be encapsulated into AD-KDC-ISSUED type
 *   and to be put into tgt or service tickets. Application can safely
 *   ignore it if the application doesn't understand it. The token field
 *   SHOULD be ASN.1 encoded of the binary representation of the
 *   serialization result of the derivation token according to [JWT].
 *  
 *         AD-TOKEN ::= SEQUENCE {
 *            token     [0]  OCTET STRING,
 *         }
 * </pre>
 *
 * @author <a href="mailto:[email protected]";>Apache Directory
Project</a>
 */

That should be helpful for those who want to know where it's coming from.

Thanks Kai !

/me continuing to review the kerby-core code. Atm, everything in
org.apache.kerby.kerberos.kerb.type.ad and
org.apache.kerby.kerberos.kerb.type.ap have been reviewed, I'm reviewing
org.apache.kerby.kerberos.kerb.type.base now (7 classes already reviewed).

Reply via email to