Comments on the use of plugins - use of pkinit_kdc_hostname
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Jun 19 19:22:29 EDT 2007
On Jun 19, 2007, at 9:03 AM, krbdev-request at mit.edu wrote:
>>> No, the issue is that without trusting DNS, you don't know
>>> that the SRV record returned the right cert.
>
> Douglas> This DNS trust issue is the same problem you have without
> Douglas> PKINIT, and is related to IP spoofing, i.e. how does the
> Douglas> client know it is talking to the real KDC?
>
> No. I can trust the KDC because only it knows my password. (That's
> different from the system i'm logging into trusting me, which requires
> that it have a host key.) But normal Kerberos does not depend on the
> security of the DNS. If your DNS is returning the wrong information
> you can get denial of service, but you cannot make a trusted local
> user believe they are talking to a KDC that does not know their
> password.
Let me make sure I'm tracking this thread: We're only worried about
trust when the KDC cert doesn't have the right 4556 attributes. If
it has the right attributes, then the only trust issue is the
standard X509 one of making sure the right certs (and only the right
certs from a genuinely trusted CA) are available on the client to
verify the KDC's cert.
Correct?
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list