PKINIT and the schema? (Re: Lists of LDAP requirements

Will Fiveash William.Fiveash at
Fri Jul 21 15:23:34 EDT 2006

On Fri, Jul 21, 2006 at 02:58:54PM -0400, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <William.Fiveash at> writes:
>     Will> Will PKINIT impact the schema?  If so, does it make sense to
>     Will> modify the current schema to support it?
> Probably, some configurations of pkinit will benefit from being able
> to use LDAP to specifically indicate what cert is used with what
> principal.

I'm assuming from other e-mail on this thread and this from RFC4556:

   1. If the KDC has its own binding between either the client's
      signature-verification public key or the client's certificate and
      the client's Kerberos principal name, it uses that binding.

that the issue is providing cert to princ. name binding that is external
to the client's cert.  The binding could/should be in the directory
object containing the client's principal info?

> I'm not entirely sure what the PKIXly correct way of doing that is.
> I don't think we want to create a dependency between the pkinit and
> LDAP projects although thinking about this from an extensibility
> standpoint is probably good.

Yeah, I just wanted to make sure the schema wasn't going to be a problem
in this area.

> Long term, Kerberos principals may not have secret keys in LDAP.


Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list