Fwd: pkinit SAN and EKU checking

Kevin Coffman kwc at citi.umich.edu
Thu May 17 17:30:53 EDT 2007 

To follow up, this is what is currently implemented.  (My pkinit
subversion branch has been updated as of this afternoon.)

After the discussions, I decided that the pkinit_san_checking option
was not necessary given the existing config options.

SAN Checking
===========

Client verification of KDC certificate
---------------------------------------------------

The default is to try to match a id-pkinit-san.  If
"pkinit_kdc_hostname" values are configured, then those values will be
checked against any dNSName SANs found in the certificate.

When/if plugin support for mapping is added, plugins will be called
first.  If the return is "NO_DECISION", then the default checking
described above will take place.  Otherwise, the decision of the
plugins is used.

KDC verification of client certificates
----------------------------------------------------

The default is to try to match a id-pkinit-san.  If "pkinit_allow_upn
= yes" is configured, then id-ms-san-sc-logon-upn SAN values will be
compared to the principal name.

When/if plugin support for mapping is added, plugins will be called
first.  If the return is "NO_DECISION", then the default checking
described above will take place.  Otherwise, the decision of the
plugins is used.


EKU checking is as originally described:

EKU checking
===========

Client verification of KDC certificate
---------------------------------------------------

pkinit_eku_checking = [kpKDC | kpServerAuth | none]

The default is "kpKDC", which means the client insists that the KDC
certificate contains the kpKDC EKU.  If "kpServerAuth" is specified,
the client will accept a KDC certificate with either the kpKDC EKU or
the serverAuth EKU.  If "none" is specified, the client does not
require that the KDC's certificate have either EKU (not recommended).

(Note that according to section 3.2.4 of rfc4556, if the KDC
certificate has the id-pkinit-san SAN corresponding to the Kerberos
TGS name, the kpKDC EKU is not required.)

KDC verification of client certificates
----------------------------------------------------

pkinit_eku_checking = [kpClientAuth | scLogin | none]

The default is to accept client certificates with either the
id-pkinit-KPClientAuth or id-ms-kp-sc-login EKU.  If "kpClientAuth" is
specified, then the client certificate must have the
id-pkinit-KPClientAuth EKU.  If "scLogin" is specified, then the
client certificate must have the id-ms-kp-sc-login EKU.  If "none" is
specified, then no EKU will be required in client certificates.

More information about the krbdev mailing list