Differentiate the ServiceTicket issued from Kinit vs PKinit
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Jun 3 09:39:31 EDT 2015
>Does this mean the client certificate should have the policy :
>1.3.6.1.4.1.311.20.2.2
> (Smart Card Logon)?
>
>Is it only the client certificate or CA cert should also have this policy?
Well, we don't use that particular OID; we use another one defined by our
CA that indicates it comes from an approved Smart Card. But that's the
basic idea.
I don't want to get into a whole discussion about certificate policy;
that's sort of outside of the scope of this thread. I will say that in
our particlar case, it only matters that the client certificate has that
policy OID on it and that's all our implementation checks for.
And let me be clear; this is not something that exists in the supplied
MIT Kerberos pkinit module. This is our own version of it. I've
talked with MIT about incorporating our changes into their module,
and they have been receptive; I just haven't had time recently to
deal with it.
--Ken
More information about the Kerberos
mailing list