Fwd: pkinit SAN and EKU checking

Sam Hartman hartmans at MIT.EDU
Tue May 15 10:14:06 EDT 2007

>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:

    Kevin> On 5/14/07, Sam Hartman <hartmans at mit.edu> wrote:
    >> >>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
    >> >> Long term, it seems like you either try the external plugins
    >> >> first, or you fall back to the external plugins.
    Kevin> Yes, and I was opting for the former.
    >> But why do I need to configure it?  If I have external plugins
    >> and they approve the whatever, then its approved.
    >> Or is the intent of your config option to say that only
    >> external plugins are permitted and if they fail then rather
    >> than trying the default we fail the authentication?

    Kevin> That was the intent.  But if the preference is to always
    Kevin> try plugins and only if no decision is made from them, to
    Kevin> fall back on default processing, that is fine with me.  I
    Kevin> think that is basically how the lookup plugin code is
    Kevin> structured, correct?

I think an option that disables default processing if the plugins fail
is fine.  I think an option that you are required to set in order to
use the plugins is a bad idea because it introduces unnecessary


More information about the krbdev mailing list