question about pkinit + plugin interface

Sam Hartman hartmans at MIT.EDU
Tue Oct 17 09:55:09 EDT 2006

>>>>> "Nalin" == Nalin Dahyabhai <nalin at> writes:

    Nalin> On Mon, Oct 16, 2006 at 07:42:08PM -0400, Sam Hartman
    Nalin> wrote:
    >> I think all this sounds good; I'd like to hear from Nalin and
    >> confirm he's OK, but that should not be blocking for too long.

    Nalin> Most of that sounds great.  I'm worried about (3) where the
    Nalin> krb5_get_init_creds_opt_set_pkinit() function can
    Nalin> implicitly tie the implementation to a specific toolkit --
    Nalin> if you have to specify where to find the user's
    Nalin> certificates and keys using a string in the form
    Nalin> "", well, that's only going to mean something
    Nalin> if you're using OpenSSL under the covers.

That's certainly true.
I don't know how to resolve this.

I think we should perhaps move the API discussion to krbdev and so I'm
adding that list.

I think the requirements are:

1) The API in libkrb5 must not be pkinit specific.
So I'm thinking of something like a get_init_creds_opt_set_pa which takes a patype, integer|string and value.

2) Easy compatibility with Heimdal.  So, for example, you'd like to be able to have a #define for the Heimdal functions or at least export similar functionality.

3) Minimize backend specificity.

4) Provide an interface that can be used for gssmaggot integration.

I think that goal 2 and 3 are in conflict.  It seems likely that we
may end up exporting some APIs that provide Heimdal compat at least
when built against openssl.

I would appreciate advice on how we can move forward here.

More information about the krbdev mailing list