pkinit kinit/krb5.conf naming inconsistencies

Nicolas Williams Nicolas.Williams at
Mon Sep 15 17:09:04 EDT 2008

THe more I think about this the more I dislike having this different
parameter prefix.

Moreover, I wonder why only PKINIT-related parameters should be settable
via kinit -x, and not other krb5.conf parameters such as, say,
default_tkt_enctypes (that would complicate the -x option somewhat in
that a config file section would be needed for some parameters).

So, I think that MIT should reconsider this kinit -x option.

Also, Jeff H. mentions (offline) the possibility of doing
PKINIT-over-StartTLS.  That would certainly render the x509_ prefix very
confusing!  IMO it'd be much better to wait until MIT krb5 gets a
StartTLS implementation before adding parameters with such a generic


More information about the krbdev mailing list