Really sorry for the very late follow on discussions. These are indeed good questions, my answers to them would be all yes.
Quite some time ago we did want to make develop complete PKINIT and then start the work with the Anonymous support. That's why besides the Kerberos related codes, we also worked out lots of PKI related codes like cms, pki and etc., then stopped somewhere due to priority adjustment. Anonymous PKINIT support is interesting because it can be used to establish an armor channel for the JWT token support without introducing too much overhead, like no client side certificate. But still need KDC side's public key and the validation chain. Thanks for catching and raising the issue that client hasn't validated the KDC's reply checking its signature. If we claim the feature is done and can work, the security issue should be fixed. However, I'm not sure how easy it is to fix the issue, Jiajia might be able to provide some hints, looks like she is working on the cross-realm support, which is another big feature Kerby leaves to attack. For the two cases of PKINIT (anonymous or client authenticated via x509 certificate), I thought Kerby client should/could have separate APIs because they need different parameters and also rely on different configurations. So the KerbClient-KDC follow will be triggered in different two flows. I'm not sure if this helps some bit, if necessary, I can try to have bandwidth to provide my review/clarification when possible. It would be great to fix the gaps, delivering the Anonymous PKINIT feature. Regards, Kai -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Friday, September 08, 2017 10:38 PM To: [email protected] Subject: Re: Anonymous PKINIT support Now that I've finished the JWT access token work, it'd be nice to finish the Anonymous PKINIT side of things to get the Identity token part of it to work. Please review my questions below. Colm. On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <[email protected]> wrote: > Hi all, > > As per the recent email on JWT, I'd like to look at the outstanding > issues surrounding anonymous PKINIT support in Kerby. > > a) Last year I raised concerns about the KDC not signing the response: > > https://www.mail-archive.com/[email protected]/msg00808.html > > Currently, we don't use the private key at all in the KDC when it is > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that: > > https://tools.ietf.org/html/rfc6112 > > "If the KDC's signature is missing in the KDC reply > (the reply is anonymous), the client MUST reject the returned ticket > if it cannot authenticate the KDC otherwise." > > I don't really see how the client can authenticate the KDC as things > stand, so I think we need to sign the KDC response and enforce a > signature on the client side. > > b) From the MIT page: > > "If you need to enable anonymity support for TGTs (for use as FAST > armor > tickets) without enabling anonymous authentication to application > servers, you can set the variable restrict_anonymous_to_tgt to true in > the appropriate [realms] subsection of the KDC’s kdc.conf file." > > Is this supported by Kerby? I'm guessing not, but we should add > support for it. > > c) Is there a way to differentiate between anonymous + authenticated > PKINIT in the KDC configuration? What if you don't want to allow the > anonymous case? > > Colm. > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
