RFR: 8272162: S4U2Self ticket without forwardable flag

Weijun Wang weijun at openjdk.java.net
Mon Nov 22 19:06:42 UTC 2021

On Mon, 1 Nov 2021 14:42:32 GMT, Martin Balao <mbalao at openjdk.org> wrote:

> But the question that concerns me most is if we really want to make such a tight check, or we are willing to forward everything.

Alexey said their customer has at least 50 KDCs. It will be quite a waste of time if we go through each of them and get a KDC_ERR_BADOPTION all the time. Therefore I would like this retry to be as restricted as possible.

> `additionalTickets` is a term introduced in the RFC. Even when it does not have defined semantics (i.e.: what are these attached/additional tickets for?), I'd keep it for everything related to message formatting. My comment was more about 'second', which is undefined in RFC/docs and not a very meaningful name. I prefer `clientCreds` over `proxyCreds` because 'proxy' makes me think about the middle-service. What about `userCreds`? (the reason I like 'user' is because it's more about the actor, while client might be a role that the middle-service is playing in a communication with a KDC or a back-end)

Unfortunately we cannot call them `additionalTickets` anymore, first it's no longer just a message, second it's not plural. Yes, `userCreds` is better. One place `proxyCreds` is used is because it's a `Krb5ProxyCredential`. As for `second`, I think it might be from the "second ticket" inside a ccache.

I've pushed a new commit for everything I've tried on.


PR: https://git.openjdk.java.net/jdk/pull/6082

More information about the security-dev mailing list