Hi, Directory developers, I have a window with no major deadlines for the next few weeks, so I looked into adding 1 new Kerberos feature for the next release. After doing some "due diligence," ie reading the relevant specs and reviewing what support I need from the JDK and various libraries, I am highly confident I can add PKINIT support for 1.5.2.
PKINIT is a pre-authentication type for Kerberos (detailed in RFC 4556). For those not familiar, PKINIT can be quickly summarized as "smartcard authentication for Kerberos, replacing the username/password." PKINIT can also work with a local keypair, so there isn't a requirement for hardware like an actual smartcard, though that is the intended deployment scenario. Since this is only a new pre-authentication verifier, I would rather not branch and instead develop this, at first, in my sandbox. I have time starting this weekend, so I'd like to start to get code committed, to back the code up. Enrique
