NSS for PKINIT, in-progress patches available, feedback sought

Nalin Dahyabhai nalin at redhat.com
Thu Sep 29 17:42:05 EDT 2011

On Mon, Sep 12, 2011 at 10:13:23PM -0700, Henry B. Hotz wrote:
> A lot of hard-core PKI types don't understand this, but the set of CAs which you trust to verify log-in-able certificates (e.g. for PKINIT) is unlikely to be the same as the ones canned into your browser.  To give you a specific example:  the NASA CA is under the US Treasury, which is not trusted by any OS or browser AFAIK.  OTOH the mainland Chinese CA (CNNIC) *is* trusted by everyone.
> Do I need to explain why that might make sense to the CAB Forum, but not for my PKINIT deployment?  Who you allow as a trust anchor is application and LoA dependent.
> If I understand what you're saying, then I don't think you did anything wrong.  There needs to be some clear documentation of the side effects of referencing a database and a recommendation that you strictly limit the allowed trust anchors everywhere.

Yeah, you're right.  Usually I don't see the big bundle of certs added
to the default database, but there's no point in taking that chance if
people are already expecting to have to specify the anchor locations
directly in the Kerberos configuration.

The newer version of the patch adds flags to the library initialization
call which instruct it to not open the certificate and key database, to
not load any PKCS#11 modules registered there, and to not look for the
built-in default roots.



More information about the krbdev mailing list