PKINIT

Anne & Lynn Wheeler lynn at garlic.com
Mon May 19 13:08:26 EDT 2003


Lun <ylhuang at csie.nctu.edu.tw> writes:
> I am now currently installing krb5-1.2.7. Can I perform 
> certificate authentication between my KDC and client?
> How to configure a certificate-authenticated principal in 
> my KDC? and How to get the certificates for my KDC and principal?

PKINIT allows for initial public key (aka digital signature)
authentication. PKINIT allows for the public key to be provided in a
number of different ways .... either via certificate provided public
key ... as well as registering the public key in effectively the same
manner that a password would be registered.

It isn't mandated that the method for conveying the public key (for
authenticating the corresponding digital signature) only be done by
certificate-based process. It is possible to use existing business
process for registering authentication material ... for register
public key in same business process that would be used for registering
a password. In this manner, the business process stays the same, but
it changes from a shared-secret based authentication material to a
non-shared-secret based authentication material.


-- 
Anne & Lynn Wheeler   | lynn at garlic.com -  http://www.garlic.com/~lynn/ 
Internet trivia, 20th anniv: http://www.garlic.com/~lynn/rfcietff.htm


More information about the Kerberos mailing list