On Mon, 1 Nov 2021 14:42:32 GMT, Martin Balao <mba...@openjdk.org> wrote:
> But the question that concerns me most is if we really want to make such a > tight check, or we are willing to forward everything. Alexey said their customer has at least 50 KDCs. It will be quite a waste of time if we go through each of them and get a KDC_ERR_BADOPTION all the time. Therefore I would like this retry to be as restricted as possible. > `additionalTickets` is a term introduced in the RFC. Even when it does not > have defined semantics (i.e.: what are these attached/additional tickets > for?), I'd keep it for everything related to message formatting. My comment > was more about 'second', which is undefined in RFC/docs and not a very > meaningful name. I prefer `clientCreds` over `proxyCreds` because 'proxy' > makes me think about the middle-service. What about `userCreds`? (the reason > I like 'user' is because it's more about the actor, while client might be a > role that the middle-service is playing in a communication with a KDC or a > back-end) Unfortunately we cannot call them `additionalTickets` anymore, first it's no longer just a message, second it's not plural. Yes, `userCreds` is better. One place `proxyCreds` is used is because it's a `Krb5ProxyCredential`. As for `second`, I think it might be from the "second ticket" inside a ccache. I've pushed a new commit for everything I've tried on. ------------- PR: https://git.openjdk.java.net/jdk/pull/6082
