[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HDB layer ideas

To: abartlet@samba.org
Subject: Re: HDB layer ideas
From: Luke Howard <lukeh@padl.com>
Date: Sun, 17 Jul 2005 21:23:24 +1000
Cc: heimdal-discuss@sics.se
Organization: PADL Software Pty Ltd
Reply-To: lukeh@padl.com
Sender: owner-heimdal-discuss@sics.se
Versions: dmail (bsd44) 2.6d/makemail 2.10


For XAD, we used Love's proposal for HDB extensions (omissions for
compactness):

hdb-ext ::= CHOICE {
        pkinit-acl[0]   hdb-ext-pkinit-acl,
        pkinit-cert[1]  hdb-ext-pkinit-certificate,
...
}

hdb-extension ::= SEQUENCE {
        mandatory[0]    BOOLEAN,        -- kdc MUST understand this extension,
                                        --   if not the whole entry must
                                        --   be rejected
        data[1]         hdb-ext
}

hdb-extensions ::= SEQUENCE OF hdb-extension

hdb-entry ::= SEQUENCE {
        principal[0]    Principal  OPTIONAL, -- this is optional only
                                             -- for compatibility with libkrb5
...
        extensions[13]  hdb-extensions OPTIONAL,
...
}

The only problem with this solution is that it doesn't deal well with
types that can't be represented in ASN.1, or that need to be defined
at runtime (eg. by a loadable HDB module).

There might be some interesting solutions to this, I'll have to think
some more...

-- Luke

--

Follow-Ups:
- Re: HDB layer ideas
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: HDB layer ideas
Next by Date: no libcom_err.la being built
Prev by thread: Re: HDB layer ideas
Next by thread: Re: HDB layer ideas
Index(es):
- Date
- Thread