interested in discussing some Kerberos improvements

[Russ Allbery]

Nico Williams <nico at cryptonector.com> writes:

> As Geoff explained in his reply, the idea is that the KDC can synthesize
> a KDB entry for any principal that doesn't exist in the KDB but for
> which a client certificate is presented (with a PKINIT SAN, issued by a
> CA trusted for that and the realm in question) and issue a ticket.

Ah, yes, right, of course. I had completely forgotten about that.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>