Differentiate the ServiceTicket issued from Kinit vs PKinit
Jim Shi
hanmao_shi at apple.com
Wed Jun 3 18:52:51 EDT 2015
Hi, Ken,
The TGS ticket flag is set on KDC server. When the client get TGS back from the server, he/she is able to see the flag set by the KDC. Looks klist commands will show flags.
However if the client passes the ticket to some service for verification, , the service will not be able see the these flags. Is that right? My understanding is that these flags are not passed to service??
Thanks
Jim
> On Jun 3, 2015, at 6:39 AM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>
>> Does this mean the client certificate should have the policy :
>> 1.3.6.1.4.1.311.20.2.2
>> (Smart Card Logon)?
>>
>> Is it only the client certificate or CA cert should also have this policy?
>
> Well, we don't use that particular OID; we use another one defined by our
> CA that indicates it comes from an approved Smart Card. But that's the
> basic idea.
>
> I don't want to get into a whole discussion about certificate policy;
> that's sort of outside of the scope of this thread. I will say that in
> our particlar case, it only matters that the client certificate has that
> policy OID on it and that's all our implementation checks for.
>
> And let me be clear; this is not something that exists in the supplied
> MIT Kerberos pkinit module. This is our own version of it. I've
> talked with MIT about incorporating our changes into their module,
> and they have been receptive; I just haven't had time recently to
> deal with it.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list