PKINIT and the schema? (Re: Lists of LDAP requirements
Douglas E. Engert
deengert at anl.gov
Fri Jul 21 10:10:41 EDT 2006
Chaskiel M Grundman wrote:
> --On Thursday, July 20, 2006 03:53:56 PM -0500 Will Fiveash
> <William.Fiveash at sun.com> wrote:
>
>> Will PKINIT impact the schema?
>
>
> The required-to-implement pkinit certificate mapping algorithm does not
> require the kdc to store mapping data: the certificate must have a
> subject alternative name of type id-pkinit-san which contains a kerberos
> principal name.
Which then limits the use of the certificate to the specific realm. And is
really only usefull for an enterprise CA, and requires the principal to be
know at the time the certificate is issued.
>
> Of course, MIT (or novell, sun, etc) may want to implement a mapping
> policy that allows certificates to be used with pkinit that were not
> issued specifically with pkinit in mind.
>
This will be extremely important, with the requirements of HSPD-12
to mandate the use of the NIST PIV smart cards for all federal employees.
DoD has the CAC cards today, but will be converting to PIV. So there
will millions of users.
The certificates will be issued by the agencies, and will not be tied
to a realm and thus will not have the id-pkinit-san. The certificate
should be usable by registering the user, certificate and mapping when
creating or updating the KDC database.
> Such a thing would impact the schema, but you'd really need to have an
> idea of what that mapping policy (or mapping policy framework, if you
> want to be that generic) will be in order to design ldap schema for i
> t.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list