Automatic FAST via Anonymous PKINIT
Nathaniel McCallum
npmccallum at redhat.com
Wed Jun 11 14:03:52 EDT 2014
On Wed, 2014-06-11 at 13:52 -0400, Greg Hudson wrote:
> On 06/11/2014 11:36 AM, Nathaniel McCallum wrote:
> > Further thought has, I think, recognized a further problem with this
> > proposal. State attribute #3 needs to be clarified as: "No known preauth
> > mechs are offered except anonymous-only PKINIT."
> [...]
> > The easiest solution to me seems to be the creation of a new padata id
> > which implies that the PKINIT is anonymous-only PKINIT.
>
> See also our IRC conversation here:
> http://colabti.org/irclogger/irclogger_log/krbdev?date=2014-05-16#l55
>
> If the KDC knows that the principal cannot authenticate using PKINIT, I
> don't think it should offer PKINIT at all. Right now, the MIT KDC
> doesn't know what principals have client certificates issued to them (if
> any), so it offers PKINIT to all principals if the KDC is configured
> with a KDC cert. But that's an implementation issue.
Are you suggesting that PKINIT shouldn't be offered even when anonymous
PKINIT is supported? Put otherwise, that the client should try anonymous
PKINIT even when not offered it?
Nathaniel
More information about the krbdev
mailing list