GSS-API and libkrb5 behavior for Anonymous tickets

Greg Hudson ghudson at MIT.EDU
Tue Nov 3 11:55:00 EST 2009

Does Heimdal have anonymous pkinit support yet?  We should try to be
consistent with its behavior if so.

My preference for gss_init_sec_context behavior is option 2 (use
anonymous credentials if present, otherwise use existing credentials and
do not set anon_state).  Testing of failure to get anonymous credentials
can be done through non-GSSAPI interfaces.

I am not yet sure what my preference is for gss_acquire_credentials
behavior.  Option two (get anonymous credentials either from the default
cache or in a new memory cache) sounds good on the surface.

For libkrb5, I think there should be a clearly-defined interface for
getting anonymous creds, but if that interface is not used, the library
should not make any additional effort to make things consistent.  I
don't yet have an opinion on what the anonymous API should look like.

Finally: it's my understanding (though I haven't read the anonymous
pkinit spec) that it is valid to do anonymous pkinit to a realm you
can't verify the certificate of, and that this may be valuable in
obtaining a FAST armor ticket--with the proviso that your armor is then
vulnerable to a man-in-the-middle attack.  It sounds like your
implementation is not going to allow that case at first, but the
interface should keep that case in mind as a future possibility.

More information about the krbdev mailing list