NSS for PKINIT, in-progress patches available, feedback sought

Henry B. Hotz hotz at jpl.nasa.gov
Tue Sep 13 01:13:23 EDT 2011

On Sep 8, 2011, at 9:36 AM, krbdev-request at mit.edu wrote:

> The build machinery patch also adds recognition of "NSS:" identity
> types, to allow NSS databases to be used, though as that also implicitly
> adds CA certificates in the database to the set of trusted CAs, which
> can surprise people who are used to the way it works now, that might
> have to be dropped.

A lot of hard-core PKI types don't understand this, but the set of CAs which you trust to verify log-in-able certificates (e.g. for PKINIT) is unlikely to be the same as the ones canned into your browser.  To give you a specific example:  the NASA CA is under the US Treasury, which is not trusted by any OS or browser AFAIK.  OTOH the mainland Chinese CA (CNNIC) *is* trusted by everyone.

Do I need to explain why that might make sense to the CAB Forum, but not for my PKINIT deployment?  Who you allow as a trust anchor is application and LoA dependent.

If I understand what you're saying, then I don't think you did anything wrong.  There needs to be some clear documentation of the side effects of referencing a database and a recommendation that you strictly limit the allowed trust anchors everywhere.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list