-*- indented-text -*-

$Id$

* admin

add some kind of remote admin protocol

allow changing of all fields with kdb_edit

* kpasswdd

configuration control for password expiration

* appl

more programs here

** appl/popper

Implement RFC1731 and 1734, pop over GSS-API

** appl/rsh

perhaps rsh and rshd should be able to handle the `traditional'
  rsh-protocol as well.

** appl/telnet

error messages when kerberos functions fail

** appl/test

should test more stuff

* doc

there's some room for improvement here.

* kdc

should the KDC use keytabs to store its keys?  Then it could use krb5_rd_req.

* lib

** lib/asn1

prepend a prefix on all generated symbols

** lib/auth

PAM and afskauthlib

** lib/des

md4, md5, and sha doesn't work on Crays.

** lib/gssapi

acquire_cred, release_cred, process_context_token, context_time,
display_status, compare_names, export_name, inquire_cred,
wrap_size_limit, add_cred, inquire_cred_by_mech, export_sec_context,
import_sec_context, inquire_names_for_mech, inquire_mechs_for_name,
canonicalize_name, and duplicate_name not implemented.

import_name only understands GSS_C_NT_HOSTBASED_SERVICE and
GSS_C_NO_OID.

get_mic, wrap: always uses the remote_subkey

only DES MAC MD5 and DES implemented.

wrap and unwrap always uses DES for sealing even if conf is not
requested.

minor_status is never set

init_sec_context: `initiator_cred_handle' and `time_req' ignored.

accept_sec_context: the first principal in the srvtab is always used.

accept_sec_context: `acceptor_cred_handle' is ignored.

input channel bindings are not supported

delegation not implemented

anonymous credentials not implemented

** lib/hdb

fix encryption of database entries and master keys.

fix locking

fix atomic rename of database

** lib/krb5

replay cache not implemented

the following encryption types have been implemented: DES-CBC-CRC,
DES-CBC-MD4, DES-CBC-MD5

supports the following checksums: CRC32, RSA-MD4, RSA-MD5,
RSA-MD4-DES, RSA-MD5-DES

always generates a new subkey in an authenticator

probably leaks memory when errors occur

should the sequence numbers be XORed?

encryption and checksum type is still hardcoded in some places.

wait for error before generating preauthentication

pa-afs3-salt?

OTP?

** lib/roken

** lib/sl