Hi Obaid, Am Fri, May 08, 2026 at 11:31:36PM +0000 schrieb Obaid Farooqi: > MS-SPNG also mention negTokenInit2 message that can optionally > contain a mech token and in this it relates to first choice which is > NEGOEX. > This token is a NEGOEX message containing the meta data. > In this mech token (negoex), server is advertising the issuers name > of the certificate issuer that it expects from the client. > > CN = MS-Organization-P2P-Access [2026] > > I believe the proper place for this is a document that would > describe the PKU2U specific meta data. > > PKINIT RFC4556 does mention TD-TRUSTED-CERTIFIERS. PKU2U uses PKINIT. > > The client looks for certificate issued by this certification > authority in its certificate store for generating AS-REQ > > Please let me know if this does not answer your question.
I would have expected this to be documented somewhere and not just in this mail. Windows 11 does it, so I would have thought I can find it somewhere in the protocol specs. Is there anything we can do to get this properly documented? Thanks, Volker _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
