Now that I've finished the JWT access token work, it'd be nice to finish the Anonymous PKINIT side of things to get the Identity token part of it to work. Please review my questions below.
Colm. On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <cohei...@apache.org> wrote: > Hi all, > > As per the recent email on JWT, I'd like to look at the outstanding issues > surrounding anonymous PKINIT support in Kerby. > > a) Last year I raised concerns about the KDC not signing the response: > > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html > > Currently, we don't use the private key at all in the KDC when it is > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that: > > https://tools.ietf.org/html/rfc6112 > > "If the KDC's signature is missing in the KDC reply > (the reply is anonymous), the client MUST reject the returned ticket > if it cannot authenticate the KDC otherwise." > > I don't really see how the client can authenticate the KDC as things > stand, so I think we need to sign the KDC response and enforce a signature > on the client side. > > b) From the MIT page: > > "If you need to enable anonymity support for TGTs (for use as FAST armor > tickets) without enabling anonymous authentication to application servers, > you can set the variable restrict_anonymous_to_tgt to true in the > appropriate [realms] subsection of the KDC’s kdc.conf file." > > Is this supported by Kerby? I'm guessing not, but we should add support > for it. > > c) Is there a way to differentiate between anonymous + authenticated > PKINIT in the KDC configuration? What if you don't want to allow the > anonymous case? > > Colm. > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
