libverto event context for certauth plugin?

Greg Hudson ghudson at
Tue Sep 22 14:03:46 EDT 2020

On 9/18/20 5:30 PM, Ken Hornstein wrote:
> So, as mentioned previously here, I am working on some certauth plugins to
> do (among other things) OCSP revocation checking.
> The obvious answer is to deal with this to pass down the libverto context
> to the certauth plugin and then make certauth asynchronous.  But ... I
> completely recognize that is NOT a small amount of code, makes the pkinit
> plugin more complicated, and requires a change to the certauth plugin API.
> I do not know if this is a corner case or not; I just wanted to raise it
> as something I could see being useful, but it may be that not many people
> need this functionality.  So ... thoughts?

Just to acknowledge: this seems like a valid use case(*), but it would
require a significant restructuring of the PKINIT server code (which
contains a lot of technical debt as it is), so I wouldn't expect it to
happen soon.  Changing the certauth plugin API isn't a big problem; new
methods could be added for async plugins.

For now, I'd suggest seeing if you can sync a copy of the cert deny list
to each KDC, and check against it locally in the plugin module.

(*) With the caveat that online OCSP checking hasn't been successful in
the context browsers, because of the added latency and the bad user
experience if the browser fails closed.  And there isn't much security
value if you fail open, because an attacker could potentially deny
access to the OCSP server.  In the context of PKINIT and a
within-the-enterprise OCSP server, online checking might make more sense.

More information about the krbdev mailing list