"Douglas E. Engert" <[EMAIL PROTECTED]> writes: > And this is where PKINIT may play a much bigger roll. The "cross trust" > is done at the PKI level, and certificates are enrolled in the local realm > as needed.
Is it feasible for a PKINIT-aware KDC to issue session keys to KRB_NT_X500_PRINCIPAL's without having to retain any record of the transaction (ie not keeping a copy of the certificate or session key)? I'm not aware of any existing KDC implementations that will issue tickets to an entity that isn't already in the database -- or for which there is not already an explicit "mapping" entry of some sort. The pkinit patch for Heimdal requires a "pki-allowed-principals" explicit mapping section in the KDC config. In theory this should be possible, although to prevent denial of service attacks, it would have to be done as I mention in the first paragraph -- it would have to be "stateless". >From RFC4120 and the PKINIT draft 16 I don't immediately see any problems with this. Could somebody with more knowledge of Kerberos than I comment on potential obstacles to this? - a _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
