Automatic FAST via Anonymous PKINIT
Greg Hudson
ghudson at MIT.EDU
Wed Jun 11 14:22:11 EDT 2014
On 06/11/2014 02:03 PM, Nathaniel McCallum wrote:
> Are you suggesting that PKINIT shouldn't be offered even when anonymous
> PKINIT is supported?
Yes. The method-data in a preauth-required error is a list of
mechanisms the client can use to authenticate as that principal, not a
general summary of KDC capabilities.
> Put otherwise, that the client should try anonymous PKINIT even when not offered it?
If the client knows it needs FAST and doesn't have another way of
producing an armor ticket, yes. An assertion that the KDC supports
PKINIT isn't really interesting because it doesn't imply that the KDC
supports anonymous.
If we decide that we need a more explicit way for the KDC to say "I
would offer you additional mechanisms if you used FAST and I support
anonymous PKINIT" then we could define an informational padata type for
that. But its meaning should be be orthogonal to PKINIT being offered
as a mechanism for authenticating as the client principal.
More information about the krbdev
mailing list