Differentiate the ServiceTicket issued from Kinit vs PKinit

Jim Shi hanmao_shi at apple.com
Wed Jun 3 18:52:51 EDT 2015


Hi, Ken,
 The TGS ticket flag is set on KDC server.  When the client get TGS back from the server, he/she is able to see the flag set by the KDC. Looks klist commands will show flags.

However if the client passes the ticket to some service for verification, , the service will not be able  see the these flags. Is that right? My understanding is that  these flags are not  passed to service??



Thanks
Jim





> On Jun 3, 2015, at 6:39 AM, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
> 
>> Does this mean the client certificate should have the policy :
>> 1.3.6.1.4.1.311.20.2.2
>> (Smart Card Logon)?
>> 
>> Is it only the client certificate or CA cert should also have this policy?
> 
> Well, we don't use that particular OID; we use another one defined by our
> CA that indicates it comes from an approved Smart Card.  But that's the
> basic idea.
> 
> I don't want to get into a whole discussion about certificate policy;
> that's sort of outside of the scope of this thread.  I will say that in
> our particlar case, it only matters that the client certificate has that
> policy OID on it and that's all our implementation checks for.
> 
> And let me be clear; this is not something that exists in the supplied
> MIT Kerberos pkinit module.  This is our own version of it.  I've
> talked with MIT about incorporating our changes into their module,
> and they have been receptive; I just haven't had time recently to
> deal with it.
> 
> --Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list