NSS for PKINIT, in-progress patches available, feedback sought

Sam Hartman hartmans at MIT.EDU
Thu Sep 8 14:56:46 EDT 2011

Painless Security is working on pkinit algorithm agility patches.  Our
statement of work only includes openssl support and assumes that the new
KDF will be provided by each crypto implementation.  My assumption is
that our patches will land on trunk first.  You should plan on
implementing the pkinit algorithm agility KDF for NSS.

If the NSS patches are going to land first, then MIT will need to figure
out what to do as refactoring so that more of pkinit can be generic or
making support for the new KDF optional are both out of scope for our
current work.

We should have patches available for review shortly.

More information about the krbdev mailing list