directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrique Rodriguez <enriqu...@gmail.com>
Subject Apache Kerberos 0.5 development update
Date Wed, 17 Aug 2005 19:48:52 GMT
Hi, Directory Developers,

0.5 Development Update
======================
I am starting some updates to the Kerberos protocol on 0.5.  I will be 
loading this same info into JIRA on a roadmap.

0.5.1 will be entirely clean-up, mostly in preparation for cross-realm 
operation, aka "trust relationships," and 0.5.2 will be the addition of 
the actual new feature "trusts."

Hot-plug of SAM Mechanisms
==========================
A side-benefit of note is that it will easier to customize processing in 
0.6 and, in particular, I will be making it much easier to "hot-plug" 
Kerberos pre-authentication mechanisms using OSGi by 0.8.  For example, 
we currently support pre-authentication by "encrypted timestamp" and 
Safehaus has a verifier for OATH's HOTP standard for one-time-password 
(OTP) verification, aka "single-use authentication mechanism," or SAM.

I have received requests for PKI\SmartCard support as well as commercial 
vendor support such as Cryptocard and RSA Security.  Of course, being 
proprietary, I won't be adding the latter at Apache; I simply wish to 
let everyone know a formal mechanism for doing this more easily is in 
the works and that we'd love to see commercial vendor adoption.

Additionally, work is underway at OATH for a time-based HOTP variant 
(current HOTP is counter-based) and I expect Safehaus will quickly 
support that, as well.

0.5.1
=====
- formatting updates to kerberos-protocol and kerberos-common leftover 
from the original grant
- refactor kerberos-protocol to chain (affects kerberos-common, too)
- addition of pre-authentication sub-chain
- documentation of the steps in the chain and pre-auth sub-chain
- MINA to 0.7.3
- add some missing toString()'s to improve logging
   (org.apache.kerberos.messages.value.HostAddresses,
   org.apache.kerberos.crypto.encryption.EncryptionType,
   org.apache.kerberos.messages.value.KerberosTime)
- rename some "misnomered" key values (eg. kdc.default.port to kdc.port)
- replace HostAddress with InternetAddress

0.5.2
=====
- trusts per RFC 4120

Enrique

Mime
View raw message