Comments on the use of plugins - use of pkinit_kdc_hostname

Henry B. Hotz hotz at
Tue Jun 19 19:22:29 EDT 2007

On Jun 19, 2007, at 9:03 AM, krbdev-request at wrote:

>>>  No, the issue is that without trusting DNS, you don't know
>>> that the SRV record returned the right cert.
>     Douglas> This DNS trust issue is the same problem you have without
>     Douglas> PKINIT, and is related to IP spoofing, i.e. how does the
>     Douglas> client know it is talking to the real KDC?
> No.  I can trust the KDC because only it knows my password.  (That's
> different from the system i'm logging into trusting me, which requires
> that it have a host key.)  But normal Kerberos does not depend on the
> security of the DNS.  If your DNS is returning the wrong information
> you can get denial of service, but you cannot make a trusted local
> user believe they are talking to a KDC that does not know their
> password.

Let me make sure I'm tracking this thread:  We're only worried about  
trust when the KDC cert doesn't have the right 4556 attributes.  If  
it has the right attributes, then the only trust issue is the  
standard X509 one of making sure the right certs (and only the right  
certs from a genuinely trusted CA) are available on the client to  
verify the KDC's cert.


The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list