[EMAIL PROTECTED] wrote:
I saw KX.509. I'm glad to see so much discussino about it here, a publicly visible project makes me feel much happier about the concept. My understanding is KX.509 uses a KCA server to generate the X.509 certificates off of a kerberos backend. (I'm confident there's something at least mildly technically wrong with that statement). Does anyone here have experience setting up the KCA server? I'd be most thankful to hear any sort of reports on how difficult it was to set up.
It was trivial to setup. It compiles with OpenSSL and Kerberos. You can use OpenSSL to generate the CA certificate and key. Since the intent is that the certificates are short term based on the life of the Kerberos ticket, there are no CRLs (but there could be.) The KCA has a Kerberos service principal like any other Kerberos service. Ir client authenticates to the KCA, and a key pair, created a request and sends it securely to the KCA. The KCA takes the principal and lifetime for the ticket and uses them for the certificate, and returns the certificate to the kx509 client. So each time a user requests a certificate, the subject name remains the same, but it has a new key and lifetimes. So SSL/TLS servers like a web server, can use the principal name for authorization.
Looks like the way to go though, thank you guys very much. I will be sure to investigate. Rektide ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
