====== Kerberos ======

Day 1

1.7 and 1.8 features

==== Encryption Info ====

  * don't specify enc types in krb5.conf - enc types should be auto-negotiated so that the highest encryption is chosen by krb
  * no tripple des (MS doesn't support it)
    * RC4, AES (Win > Vista)
  * ktadd -e to specify encryption type for a principal
  * derived keys now cached on kdc

==== backend ====

ldap backend might support atomic increment replication


==== Kerberos 1.9 ====

  * python test framework
  * NSS crypto backend
  * plugin framework
    * preauth, db, extra info (pulling from AD)
  * expose delegation chain (see the chain of trust)

  * Admin changes
    * logging
    * plugin to test pass quality
    * sync password changes
    * OTP (SecureID planned)
    * config file validator
  * Protocol changes
    * IAKERB (?)
    * Camellia
    * additional cypher modes, eg. GCM
==== Future ====

  * interface to purge old keys (1.8.x?)
  * interface to delete specific enc types (1.8.x?)
  * trace logging (1.9)
  * password quality checking (1.9)
  * print enc types in "input form"
  * improve ipv6 support
  * improve key rollover (application keys)
  * decrease DNS dependence

  * plugins:
    * account lockout
    * audit support
    * password sync
    * ticket issuance ACL
    * friendlies smart card support

=== performance ===

  * decrease DNS traffic
  * avoid DNS stalls
  * replay cache
  * concurrency
    * state
    * reduce mutex contention
    * refactoring to support async/event loop APIs
 
==== cli config tester (validator.py) ====

  * python based
  * need YAML
  * validates your config options