Suggestion of change to certauth plugin interface

Nico Williams nico at
Fri Feb 24 17:13:23 EST 2023

On Fri, Feb 24, 2023 at 04:09:26PM -0500, Ken Hornstein wrote:
> >Wait, why doesn't the KDC furnish the whole chain to the certauth
> >plugin?
> ¯\_(ツ)_/¯
> I imagine it probably should, but I have to live with the API as it
> exists now.  I suspect this wasn't thought about when the plugin API
> was created, and that's fine; it's hard to imagine all of the things you
> might want to do with a plugin when it is first created.  Also, depending
> on what kind of OCSP server you are talking to you probably need the
> original list of CAs to verify the OCSP responder certificate.

It's probably a matter of experience with PKIX when the plugin API was
designed.  The pkinit_pool parameter should generally only be for
finding the local entity's chain from its EE cert, not for finding a
peer's chains from its EE cert -- the peer should send its chain.  I say
"generally" because in a bridged PKI the peer will only send what it
thinks is its complete chain but the local entity will have to construct
the rest of the chain itself that the peer doesn't know about.

Heimdal is willing to break plugin ABIs frequently.  Is MIT not?  My
preference is to redesign plugin interfaces as needed than to muddle
along with incomplete designs, though that is painful for sites that
then have to alter their plugins to match the new ABIs.

Maybe MIT should implement OCSP.  Heimdal should too...


More information about the krbdev mailing list