On Thu, May 22, 2025 at 05:04:32PM +0000, Chris Gooch wrote:
> It now makes sense to me. I believe the KDC will not allow tokens
> larger than 65535 bytes, so feel it is safe from a GSS perspective.
The KDC protocol over TCP uses 32-bit unsigned PDU lengths in network
byte order, of which the high bit is reserved and must be zero. ASN.1
supports much larger lengths still. The protocol easily supports very
large tickets, therefore very large initial security context tokens.
The architecture of having the user's SIDs be included in the user's
service tickets was very useful as an optimization for a long time, but
as the number of SIDs increases this optimization becomes more of an
albatross.
Nico
--