Comments on the use of plugins - useof pkinit_kdc_hostname

[Sam Hartman]

>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:

    Douglas> The pkinit_kdc_hostname, in effect duplicates, the hostnames
    Douglas> as used in kdc = or in the DNS SRV records.  We really like to
    Douglas> use the dns_lookup_kdc=1 option so we don't have to have the names
    Douglas> of the KDCs in the krb5.conf. Having to add the
    Douglas> hostnames for pkinit_kdc_hostnames defeats this goal!

    Douglas> If the concern is that the cert may be valid but not be from
    Douglas> a KDC, I would hope that some more Windows friendly code
    Douglas> could be added. It looks like Windows adds the extension
    Douglas> 1.3.6.1.311.20.2 with a value of DomainController (utf8?) to
    Douglas> the cert as well as a SAN for DNS. (But windows being windows
    Douglas> the host part of the DNS name XXXXXX below is in uppercase!)

No, the issue is that without trusting DNS, you don't know that the
SRV record returned the right cert.  You need to have some way to
securely map the realm name to the kdcs.