Suggestion of change to certauth plugin interface

Ken Hornstein kenh at
Fri Feb 24 16:09:26 EST 2023

>> Sure.  I talked before that one of my plugins was for doing OCSP
>> checking of client certificates for PKINIT.  Well, it turns out that
>> to do that, you need to build up the complete certificate chain so you
>> can check the status of intermediate certificates.  To do that, you
>> [...]
>Wait, why doesn't the KDC furnish the whole chain to the certauth


I imagine it probably should, but I have to live with the API as it
exists now.  I suspect this wasn't thought about when the plugin API
was created, and that's fine; it's hard to imagine all of the things you
might want to do with a plugin when it is first created.  Also, depending
on what kind of OCSP server you are talking to you probably need the
original list of CAs to verify the OCSP responder certificate.

I think my other points about the realm list being provided to the certauth
plugin initializer still stand.


More information about the krbdev mailing list