Comments on the use of plugins - useof pkinit_kdc_hostname

[Sam Hartman]

>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:

    Douglas> I think what I am asking for is a better way to handle
    Douglas> the current Windows KDCs, until they support full RFC
    Douglas> 4556.

Right.
And if we can figure out a secure way to map the KDC cert to a specific realm without configuration, I'm happy to do that.

So far you have not shown that the mappings you propose are in fact
secure.

Keep in mind that MIT clients will likely have a larger CA set than
some W2K deployments.