Automatic FAST via Anonymous PKINIT
Nico Williams
nico at cryptonector.com
Wed Jun 11 14:51:08 EDT 2014
On Wed, Jun 11, 2014 at 1:03 PM, Nathaniel McCallum
<npmccallum at redhat.com> wrote:
> On Wed, 2014-06-11 at 13:52 -0400, Greg Hudson wrote:
>> If the KDC knows that the principal cannot authenticate using PKINIT, I
>> don't think it should offer PKINIT at all. Right now, the MIT KDC
>> doesn't know what principals have client certificates issued to them (if
>> any), so it offers PKINIT to all principals if the KDC is configured
>> with a KDC cert. But that's an implementation issue.
>
> Are you suggesting that PKINIT shouldn't be offered even when anonymous
> PKINIT is supported? Put otherwise, that the client should try anonymous
> PKINIT even when not offered it?
It should be offered when the cname is the anon cname, if the AS
supports anon PKINIT.
More information about the krbdev
mailing list