libverto event context for certauth plugin?

Ken Hornstein kenh at
Fri Sep 18 17:30:37 EDT 2020

So, as mentioned previously here, I am working on some certauth plugins to
do (among other things) OCSP revocation checking.

Right now in our deployment we have an OCSP server ON our KDCs and download
the CRLs to it nightly, so I'm not worried about network delays blocking
the KDC (unless I screw up the OCSP server, which is always possible).
But it DOES occur to me that it might make sense to support things like
checking the OCSP server that is actually listed in a certificate, but that
would make it possible for the KDC to block.

The obvious answer is to deal with this to pass down the libverto context
to the certauth plugin and then make certauth asynchronous.  But ... I
completely recognize that is NOT a small amount of code, makes the pkinit
plugin more complicated, and requires a change to the certauth plugin API.
I do not know if this is a corner case or not; I just wanted to raise it
as something I could see being useful, but it may be that not many people
need this functionality.  So ... thoughts?


More information about the krbdev mailing list