PKINIT and the schema? (Re: Lists of LDAP requirements

Douglas E. Engert deengert at
Fri Jul 21 10:10:41 EDT 2006

Chaskiel M Grundman wrote:

> --On Thursday, July 20, 2006 03:53:56 PM -0500 Will Fiveash 
> <William.Fiveash at> wrote:
>> Will PKINIT impact the schema?
> The required-to-implement pkinit certificate mapping algorithm does not 
> require the kdc to store mapping data: the certificate must have a 
> subject alternative name of type id-pkinit-san which contains a kerberos 
> principal name.

Which then limits the use of the certificate to the specific realm.  And is
really only usefull for an enterprise CA, and requires the principal to be
know at the time the certificate is issued.

> Of course,  MIT (or novell, sun, etc) may want to implement a mapping 
> policy that allows certificates to be used with pkinit that were not 
> issued specifically with pkinit in mind.

This will be extremely important, with the requirements of HSPD-12
to mandate the use of the NIST PIV smart cards for all federal employees.
DoD has the CAC cards today, but will be converting to PIV. So there
will millions of users.

The certificates will be issued by the agencies, and will not be tied
to a realm and thus will not have the id-pkinit-san. The certificate
should be usable by registering the user, certificate and mapping when
creating or updating the KDC database.

> Such a thing would impact the schema, but you'd really need to have an 
> idea of what that mapping policy (or mapping policy framework, if you 
> want to be that generic) will be in order to design ldap schema for i
> t.
> ------------------------------------------------------------------------
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list