On this page
- §8.1.1 CAAP distribution
- §8.1.2 Domain join (adpsd, Active Directory, Kerberos)
- §8.1.3 Elevation and linked tokens
- §8.1.4 Claims and Dynamic Access Control
- §8.1.5 Forced logout / revocation tooling
- §8.1.6 Additional credential factors
- §8.1.7 TPM-sealed at-rest protection
- §8.1.8 Secondary-logon launch helper
- §8.1.9 A Rust wrapper for kacs_set_impersonation_level
Deferred Features
This chapter is informative. It records features that are part of the subsystem's intended scope but are deliberately deferred to later versions, so that the core (interactive local password logon and its administration) can be specified and built first. Nothing here is normative for this version; each item names the contracts already shaped to accommodate it.
§8.1.1 CAAP distribution
authd is intended to read central access policies from the directory and push them into the kernel policy cache before signalling readiness, and to re-push on change. This is deferred. The policy phase (§5.2) runs on a declared default policy until the rights-assignment/CAAP policy store is wired.
§8.1.2 Domain join (adpsd, Active Directory, Kerberos)
The domain principal source (adpsd) fronting Active Directory via Kerberos/NTLM is deferred. The seam (§2.2), the resolved-principal contract (§4, PAC-isomorphic), the source registry (§6.1), and the namespace-based routing (§2.2) are all shaped so that adpsd drops into lpsd's structural position. adpsd is responsible for verifying a real PAC's signatures and translating into the §4 contract, and for any challenge–response on its remote hop (§6.2).
§8.1.3 Elevation and linked tokens
UAC-style Full/Limited linked-token pairs and filtered tokens are deferred. Token shaping (§5.2 step 5) is the hook; this version mints a single primary token.
§8.1.4 Claims and Dynamic Access Control
Source-native claims already flow through the resolved principal (§4) and onto the token; claim-transformation policy and the broader DAC story are deferred.
§8.1.5 Forced logout / revocation tooling
The userspace forced-logout pattern (walking /proc/*/token by
auth_id and signalling holders; PSD-004) is a session-management
request (§6.3) gated by SeTcbPrivilege. The tooling around it is
deferred.
Security limitation (not merely deferred tooling). KACS provides no
token-revocation primitive: tokens do not expire, a token fd passed via
SCM_RIGHTS to a process outside the session survives forced logout,
and account disable/delete takes effect only at the principal's next logon
(§7.2). "Log this user out now" is therefore best-effort, and the
/proc/*/token walk is racy — a holder may fork or pass its fd between
enumeration and signalling, so the walk MUST re-scan until no holder
remains. A real revocation guarantee depends on a future KACS
dead-logon-session facility, which this subsystem treats as a dependency.
§8.1.6 Additional credential factors
webauthn/passkey, x509/smartcard, and recovery_code factors reuse
the credential shape of §3.3 and are deferred.
§8.1.7 TPM-sealed at-rest protection
The tpm-sealed scheme and the optional argon2id pepper (§3.5) are
deferred until the platform's measured-boot story is solid enough to
seal against without brittle reseal-on-update failures. The wrappable
secret_part shape is mandated now so adoption is a re-wrap pass.
§8.1.8 Secondary-logon launch helper
A helper that lets an unprivileged caller launch a process on a token it
obtained via Logon (the runas/seclogon analogue) is deferred. Until
then, installing a returned token as a primary token requires the
appropriate privilege, which login frontends and peinit hold (§5.3).
§8.1.9 A Rust wrapper for kacs_set_impersonation_level
The client-side impersonation-level cap (§6.2) has no Rust binding yet. Clients that need to cap the level below the default will require one.