GSS-API and libkrb5 behavior for Anonymous tickets
ghudson at MIT.EDU
Tue Nov 3 11:55:00 EST 2009
Does Heimdal have anonymous pkinit support yet? We should try to be
consistent with its behavior if so.
My preference for gss_init_sec_context behavior is option 2 (use
anonymous credentials if present, otherwise use existing credentials and
do not set anon_state). Testing of failure to get anonymous credentials
can be done through non-GSSAPI interfaces.
I am not yet sure what my preference is for gss_acquire_credentials
behavior. Option two (get anonymous credentials either from the default
cache or in a new memory cache) sounds good on the surface.
For libkrb5, I think there should be a clearly-defined interface for
getting anonymous creds, but if that interface is not used, the library
should not make any additional effort to make things consistent. I
don't yet have an opinion on what the anonymous API should look like.
Finally: it's my understanding (though I haven't read the anonymous
pkinit spec) that it is valid to do anonymous pkinit to a realm you
can't verify the certificate of, and that this may be valuable in
obtaining a FAST armor ticket--with the proviso that your armor is then
vulnerable to a man-in-the-middle attack. It sounds like your
implementation is not going to allow that case at first, but the
interface should keep that case in mind as a future possibility.
More information about the krbdev