Hi all, As per the recent email on JWT, I'd like to look at the outstanding issues surrounding anonymous PKINIT support in Kerby.
a) Last year I raised concerns about the KDC not signing the response: https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html Currently, we don't use the private key at all in the KDC when it is configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that: https://tools.ietf.org/html/rfc6112 "If the KDC's signature is missing in the KDC reply (the reply is anonymous), the client MUST reject the returned ticket if it cannot authenticate the KDC otherwise." I don't really see how the client can authenticate the KDC as things stand, so I think we need to sign the KDC response and enforce a signature on the client side. b) From the MIT page: "If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set the variable restrict_anonymous_to_tgt to true in the appropriate [realms] subsection of the KDC’s kdc.conf file." Is this supported by Kerby? I'm guessing not, but we should add support for it. c) Is there a way to differentiate between anonymous + authenticated PKINIT in the KDC configuration? What if you don't want to allow the anonymous case? Colm. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
