RFR: 8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup [v3]
Weijun Wang
weijun at openjdk.java.net
Tue Aug 10 16:19:51 UTC 2021
On Tue, 10 Aug 2021 14:48:08 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Not adding the type is OK, I said it's just to be a little clearer. I think you're right about the cname. It's always the one that actually sends the request.
>>
>> What is "the TGS" (in "the TGS is the one")? `clientSvcTicketEnc`? BTW, is "client service ticket" a well known name? or we can name it "user"-something?
>
> The TGS in "the TGS is the one" is clientSvcTicketEnc indeed. I admit that all these names are a bit confusing -but so it is the underlying protocol-. I'll take the 'user" suggestion and rename it to userSvcTicketEnc -in the hopes of suggesting some similarity between S4U2Proxy and S4U2Self and make it more clear-. Agree?
Good! No more comment.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5036
More information about the security-dev
mailing list