X.509 Interop

Mark Sirota msirota at isc.upenn.edu
Thu Nov 17 10:23:34 EST 2005


--On November 17, 2005 6:49:22 AM +0000 Jeffrey Altman 
<jaltman2 at nyc.rr.com> wrote:
> The CITI group at UMichigan also has a project that allows you to
> use a Kerberos service ticket to obtain an X.509 certificate with
> the same lifetime as the Kerberos ticket.

Assuming I'm thinking of the same project, this is called "KX.509".  We
worked with it extensively here at Penn, hoping to make it our new standard
for web-based authentication.

We made considerable progress and submitted our patches back to Michigan,
but we never deployed into production because there isn't enough browser
support for client-side X.509 certificates.  For non-web applications, this
might be more suitable.

Mark


More information about the Kerberos mailing list