https://k5wiki.test.kerberos.org/wiki?action=history&feed=atom&title=Release_Meeting_Minutes%2F2012-01-24Release Meeting Minutes/2012-01-24 - Revision history2026-05-14T17:25:43ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.test.kerberos.org/wiki?title=Release_Meeting_Minutes/2012-01-24&diff=4532&oldid=prevTomYu: New page: {{minutes|2012}} Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu == gss_export_cred == Simo suggests a new API for exporting GSS creds. ;Greg: Might be usi...2012-01-24T19:14:52Z<p>New page: {{minutes|2012}} Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu == gss_export_cred == Simo suggests a new API for exporting GSS creds. ;Greg: Might be usi...</p>
<p><b>New page</b></p><div>{{minutes|2012}}<br />
Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkova, Tom Yu<br />
<br />
== gss_export_cred ==<br />
Simo suggests a new API for exporting GSS creds.<br />
;Greg: Might be using a memory ccache or a file. Would have to serialize contents.<br />
;Simo: To use in GSS proxy.<br />
;Tom: consider e.g. nonexportable keys in hardware security modules<br />
;Simo: Stateless server for GSS proxy. Server could encrypt credentials in a long-term key to hand to the client.<br />
;Tom: So externalizing server state to client without client using them.<br />
;Simo: Also possibly for clients to use.<br />
;Greg: Resource consumptino... encryption, memory.<br />
;Simo: Also thinking about exporting partially initialized context.<br />
;Greg: See also IETF GSS preauth proposal.<br />
;Tom: Is statelessness a requirement?<br />
;Simo: Denials of service, memory leaks, etc. make stateless attractive.<br />
;Tom: Consider replays, reordering, etc.<br />
;Greg: Maybe 1.11, but we're not committing to anything just yet.<br />
;Simo: Standards?<br />
;Greg: Not for the token format.<br />
;Tom: Standards for API.<br />
;Simo: Use Kerberos initially... maybe GSS-EAP later?<br />
;Greg: Also define whether API or caller is responsible for encrypting the token.<br />
== verify_init_creds ==<br />
;Will: Started thread based on talking to a customer. Hostnames change. pam_krb5 in auth stack. Why not try every principal in the keytab?<br />
;Greg: Say system keytab has both host and http keys. Other keytab (containing only http key) readable by httpd could fake any principal.<br />
;Greg: Maybe try all or first "host" principal in keytab.<br />
;Tom: Either could be a krb5-1.10.x bugfix.</div>TomYu