Suggestion of change to certauth plugin interface
Nico Williams
nico at cryptonector.com
Fri Feb 24 14:34:47 EST 2023
On Fri, Dec 09, 2022 at 07:16:14AM -0500, Ken Hornstein via krbdev wrote:
> >This wouldn't necessarily require a major API bump, but can you
> >elaborate on what a certauth module would be interested in the
> >configured realm list, and can't build it up as queries come in?
>
> Sure. I talked before that one of my plugins was for doing OCSP
> checking of client certificates for PKINIT. Well, it turns out that
> to do that, you need to build up the complete certificate chain so you
> can check the status of intermediate certificates. To do that, you
> [...]
Wait, why doesn't the KDC furnish the whole chain to the certauth
plugin?
More information about the krbdev
mailing list