Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Subject: reconsider structure of code for locating and contacting kdc,
    krb524d, kpasswd
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1401

I think we might want to reconsider how Kerberos-related services are
located and how the communications are handled.

    The use_master approach (see also ticket 1505) will result in
    contacting the master KDC twice, if an incorrect password is given
    and the master KDC is at the highest priority in the "normal" KDC
    list.

    The send-to-server loop can initiate a TCP connection, shut it
    down (after a response is received by UDP), and start it up again
    (if the response was RESPONSE_TOO_BIG).

    The DNS queries and message transmission are needlessly serialized
    (see also ticket 1453).

    The kpasswd protocol, since it uses a KRB_PRIV message, currently
    requires that the sender and recipient addresses be encoded into
    the message.

    Various heuristics are used in different places for locating a
    service (most often, "locate this other service, and tweak the
    port numbers").

Perhaps some better framework can be devised for encompassing more of
the general functionality, and avoid some of the duplication of code
and traffic.

The first two issues might be resolved by allowing the processing of a
response to alter the set of servers being contacted, rather than
shutting down all the communications immediately.

It would probably also be useful to add hooks for letting the user
cancel attempts to reach the server (e.g., a "cancel" button).