Automatic FAST via Anonymous PKINIT
Greg Hudson
ghudson at MIT.EDU
Wed Jun 11 13:52:36 EDT 2014
On 06/11/2014 11:36 AM, Nathaniel McCallum wrote:
> Further thought has, I think, recognized a further problem with this
> proposal. State attribute #3 needs to be clarified as: "No known preauth
> mechs are offered except anonymous-only PKINIT."
[...]
> The easiest solution to me seems to be the creation of a new padata id
> which implies that the PKINIT is anonymous-only PKINIT.
See also our IRC conversation here:
http://colabti.org/irclogger/irclogger_log/krbdev?date=2014-05-16#l55
If the KDC knows that the principal cannot authenticate using PKINIT, I
don't think it should offer PKINIT at all. Right now, the MIT KDC
doesn't know what principals have client certificates issued to them (if
any), so it offers PKINIT to all principals if the KDC is configured
with a KDC cert. But that's an implementation issue.
More information about the krbdev
mailing list