Thanks Colm for the sharing and telling the story!! The blog looks pretty informative. I thought we should list or mention it somewhere in our Directory/Kerby projects.
Regards, Kai -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Monday, September 11, 2017 7:30 PM To: Zheng, Kai <[email protected]> Cc: [email protected] Subject: Re: Anonymous PKINIT support OK thanks! I wrote up the "access token" case as part of a blog post in the context of a kerberized JAX-RS web service request using Apache CXF: http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html Colm. On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai <[email protected]> wrote: > Thanks Colm for the take. I'll try to bring up the context in my mind > and give you some comments later. > > Regards, > Kai > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Friday, September 08, 2017 10:38 PM > To: [email protected] > Subject: Re: Anonymous PKINIT support > > Now that I've finished the JWT access token work, it'd be nice to > finish the Anonymous PKINIT side of things to get the Identity token > part of it to work. Please review my questions below. > > Colm. > > On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh > <[email protected] > > > wrote: > > > Hi all, > > > > As per the recent email on JWT, I'd like to look at the outstanding > > issues surrounding anonymous PKINIT support in Kerby. > > > > a) Last year I raised concerns about the KDC not signing the response: > > > > https://www.mail-archive.com/[email protected]/msg00808.htm > > l > > > > Currently, we don't use the private key at all in the KDC when it is > > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that: > > > > https://tools.ietf.org/html/rfc6112 > > > > "If the KDC's signature is missing in the KDC reply > > (the reply is anonymous), the client MUST reject the returned ticket > > if it cannot authenticate the KDC otherwise." > > > > I don't really see how the client can authenticate the KDC as things > > stand, so I think we need to sign the KDC response and enforce a > > signature on the client side. > > > > b) From the MIT page: > > > > "If you need to enable anonymity support for TGTs (for use as FAST > > armor > > tickets) without enabling anonymous authentication to application > > servers, you can set the variable restrict_anonymous_to_tgt to true > > in the appropriate [realms] subsection of the KDC’s kdc.conf file." > > > > Is this supported by Kerby? I'm guessing not, but we should add > > support for it. > > > > c) Is there a way to differentiate between anonymous + authenticated > > PKINIT in the KDC configuration? What if you don't want to allow the > > anonymous case? > > > > Colm. > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
