The citi implementation of pkinit is in the MIT kerberos source tree, but I don't think it has made it in to an official release yet. It has two interfaces for doing its pk work. One is pkcs11, which can be used to talk to a smartcard or other secure hardware (or even software) token. The other simply reads certs and keys out of a file. It requires a client cert, not just a key.
Heimdal has its own pkinit implementation. It interoperates with ours. I don't know much more about it. Microsoft of course has their own implementation which doesn't match the rfc. We do, however, interoperate with them. MacOS also has an implementation. Last time I looked it was based on an early draft of the rfc but I'm sure that has changed. It uses the Mac crypto api. I don't think pkinit could be used to obtain a host context without a host key, but maybe someone could think of a way. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
