On Mon, 2006-05-08 at 00:39 -0500, Nicolas Williams wrote: > On Mon, May 08, 2006 at 10:29:57AM +1000, Luke Howard wrote: > > > > >The best thing would be to advocate gss_krb5_inquire_sec_context_by_oid w/ > > >OIDs for the subkey and PAC [1] w/ support in MIT and stock Heimdal. > > > > For accessing the PAC, we will probably move to store the authorization > > data inside a gss_name_t() and provide something like gss_inquire_name_by_oid > > rather than extracting it from the context. > > The API is already specified, albeit in an Internet-Draft -- see the > IETF KITTEN WG page, see draft-ietf-kitten-gssapi-naming-exts-01.txt. Would the kerberos libs do the PAC verification? Otherwise, we need the tgs authtime timestamp and keyblock too. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part