First draft of pkinit plugin code now in Subversion

Jeffrey Hutzelman jhutz at
Wed Nov 29 19:12:59 EST 2006

On Monday, November 27, 2006 12:22:13 PM -0500 Olga Kornievskaia 
<aglo at> wrote:

>> there seems to be no support for the supportedCMSTypes field
> that is correct as well. as it was an optional field, it's
> implementation was not high on our list.

It is "OPTIONAL" in the ASN.1 sense, which means only that it is not always 
present.  This field is needed in order for the client to indicate support 
for algorithms other than the handful listed in RFC4556 section 3.1.4.

>> and that the use of CMS seems to hard code sha-1 rather than
>> making intelligent decisions about the appropriate hash to sign with.
> pkinit rfc states (3.1.1) that signature algorithm is always
> sha1WithRSAEncryption.

No; that's not what 3.1.1 says.  What it says is that all implementations 
MUST implement sha-1WithRSAEncryption.  However, other signature algorithms 
can also be used, and an implementation which limits itself to only that 
one will fail to interoperate when other algorithms are used.

-- Jeff

More information about the krbdev mailing list