Suggestion of change to certauth plugin interface

Nico Williams nico at
Fri Feb 24 14:34:47 EST 2023

On Fri, Dec 09, 2022 at 07:16:14AM -0500, Ken Hornstein via krbdev wrote:
> >This wouldn't necessarily require a major API bump, but can you 
> >elaborate on what a certauth module would be interested in the 
> >configured realm list, and can't build it up as queries come in?
> Sure.  I talked before that one of my plugins was for doing OCSP
> checking of client certificates for PKINIT.  Well, it turns out that
> to do that, you need to build up the complete certificate chain so you
> can check the status of intermediate certificates.  To do that, you
> [...]

Wait, why doesn't the KDC furnish the whole chain to the certauth

More information about the krbdev mailing list