On 06/03/2014 04:29 AM, Peter Mogensen wrote: > This seems to be conflicting. First it says the signing-key is the > session-key, then it says it's the service-key used to encrypt the ticket.
I don't think AD-KDC-issued is really used much, but to the extent that we have client code for it, we (MIT krb5) assume the ticket session key is used to sign it. I don't see any Heimdal code for AD-KDC-issued except for an #if 0 block, and I don't think Microsoft uses it for anything since they have the PAC. > Using the service-key seems to make more sense and it's also what I can > see the draft for AD-CAMMAC uses for svc-verifier. >From a security perspective, I don't think it really matters whether the ticket session key or the service key is used. The former provides a slightly more direct guarantee that the authdata originated with the specific ticket it is included in, but anyone with the service key can print up a complete ticket with a chosen session key, so it shouldn't matter either way. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
