PKINIT and the schema? (Re: Lists of LDAP requirements
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Jul 21 18:41:25 EDT 2006
What he said.
For JPL our NASA PKI name doesn't correspond to anything normally
reasonable. It just concatenates enough stuff that it's guaranteed
to be unique. I'm amazed that it's so hard to do what appears
On Jul 21, 2006, at 9:01 AM, krbdev-request at mit.edu wrote:
> Date: Fri, 21 Jul 2006 09:10:41 -0500
> From: "Douglas E. Engert" <deengert at anl.gov>
> Subject: Re: PKINIT and the schema? (Re: Lists of LDAP requirements
> To: Chaskiel M Grundman <cg2v at andrew.cmu.edu>
> Cc: krbdev at mit.edu
> Message-ID: <44C0E061.3010704 at anl.gov>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Chaskiel M Grundman wrote:
>> --On Thursday, July 20, 2006 03:53:56 PM -0500 Will Fiveash
>> <William.Fiveash at sun.com> wrote:
>>> Will PKINIT impact the schema?
>> The required-to-implement pkinit certificate mapping algorithm
>> does not
>> require the kdc to store mapping data: the certificate must have a
>> subject alternative name of type id-pkinit-san which contains a
>> principal name.
> Which then limits the use of the certificate to the specific
> realm. And is
> really only usefull for an enterprise CA, and requires the
> principal to be
> know at the time the certificate is issued.
>> Of course, MIT (or novell, sun, etc) may want to implement a mapping
>> policy that allows certificates to be used with pkinit that were not
>> issued specifically with pkinit in mind.
> This will be extremely important, with the requirements of HSPD-12
> to mandate the use of the NIST PIV smart cards for all federal
> DoD has the CAC cards today, but will be converting to PIV. So there
> will millions of users.
> The certificates will be issued by the agencies, and will not be tied
> to a realm and thus will not have the id-pkinit-san. The certificate
> should be usable by registering the user, certificate and mapping when
> creating or updating the KDC database.
>> Such a thing would impact the schema, but you'd really need to
>> have an
>> idea of what that mapping policy (or mapping policy framework, if you
>> want to be that generic) will be in order to design ldap schema for i
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev