PKINIT and the schema? (Re: Lists of LDAP requirements

Henry B. Hotz hotz at
Fri Jul 21 18:41:25 EDT 2006

What he said.

For JPL our NASA PKI name doesn't correspond to anything normally  
reasonable.  It just concatenates enough stuff that it's guaranteed  
to be unique.  I'm amazed that it's so hard to do what appears  
minimally reasonable.

On Jul 21, 2006, at 9:01 AM, krbdev-request at wrote:

> Date: Fri, 21 Jul 2006 09:10:41 -0500
> From: "Douglas E. Engert" <deengert at>
> Subject: Re: PKINIT and the schema? (Re: Lists of LDAP requirements
> To: Chaskiel M Grundman <cg2v at>
> Cc: krbdev at
> Message-ID: <44C0E061.3010704 at>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Chaskiel M Grundman wrote:
>> --On Thursday, July 20, 2006 03:53:56 PM -0500 Will Fiveash
>> <William.Fiveash at> wrote:
>>> Will PKINIT impact the schema?
>> The required-to-implement pkinit certificate mapping algorithm  
>> does not
>> require the kdc to store mapping data: the certificate must have a
>> subject alternative name of type id-pkinit-san which contains a  
>> kerberos
>> principal name.
> Which then limits the use of the certificate to the specific  
> realm.  And is
> really only usefull for an enterprise CA, and requires the  
> principal to be
> know at the time the certificate is issued.
>> Of course,  MIT (or novell, sun, etc) may want to implement a mapping
>> policy that allows certificates to be used with pkinit that were not
>> issued specifically with pkinit in mind.
> This will be extremely important, with the requirements of HSPD-12
> to mandate the use of the NIST PIV smart cards for all federal  
> employees.
> DoD has the CAC cards today, but will be converting to PIV. So there
> will millions of users.
> The certificates will be issued by the agencies, and will not be tied
> to a realm and thus will not have the id-pkinit-san. The certificate
> should be usable by registering the user, certificate and mapping when
> creating or updating the KDC database.
>> Such a thing would impact the schema, but you'd really need to  
>> have an
>> idea of what that mapping policy (or mapping policy framework, if you
>> want to be that generic) will be in order to design ldap schema for i
>> t.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list