Differentiate the ServiceTicket issued from Kinit vs PKinit

[Jim Shi]

Never mind. I assume the flags is inside the ticket.


Thanks
Jim





> On Jun 3, 2015, at 3:52 PM, Jim Shi <hanmao_shi at apple.com> wrote:
> 
> Hi, Ken,
>  The TGS ticket flag is set on KDC server.  When the client get TGS back from the server, he/she is able to see the flag set by the KDC. Looks klist commands will show flags.
> 
> However if the client passes the ticket to some service for verification, , the service will not be able  see the these flags. Is that right? My understanding is that  these flags are not  passed to service??
> 
> 
> 
> Thanks
> Jim
> 
> 
> 
> 
> 
>> On Jun 3, 2015, at 6:39 AM, Ken Hornstein <kenh at cmf.nrl.navy.mil <mailto:kenh at cmf.nrl.navy.mil>> wrote:
>> 
>>> Does this mean the client certificate should have the policy :
>>> 1.3.6.1.4.1.311.20.2.2
>>> (Smart Card Logon)?
>>> 
>>> Is it only the client certificate or CA cert should also have this policy?
>> 
>> Well, we don't use that particular OID; we use another one defined by our
>> CA that indicates it comes from an approved Smart Card.  But that's the
>> basic idea.
>> 
>> I don't want to get into a whole discussion about certificate policy;
>> that's sort of outside of the scope of this thread.  I will say that in
>> our particlar case, it only matters that the client certificate has that
>> policy OID on it and that's all our implementation checks for.
>> 
>> And let me be clear; this is not something that exists in the supplied
>> MIT Kerberos pkinit module.  This is our own version of it.  I've
>> talked with MIT about incorporating our changes into their module,
>> and they have been receptive; I just haven't had time recently to
>> deal with it.
>> 
>> --Ken
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu <mailto:Kerberos at mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/kerberos <https://mailman.mit.edu/mailman/listinfo/kerberos>
>