On Mon, 2008-10-13 at 18:11 -0700, Kais Belgaied wrote: > > > > * New kinit(1) options: > > > > -X attribute[=value] > > specify a pre-authentication attribute and value to be > > passed to pre-authentication plugins. The acceptable > > attribute and value values vary from pre-authentication > > plugin to plugin. This option may be specified multi- > > ple times to specify multiple attributes. If no value > > is specified, it is assumed to be "yes". > > > > The following attributes are recognized by the OpenSSL pkinit > > pre-authentication mechanism: > > X509_user_identity=URI > > Specify where to find user's X509 identity information. > > > > Valid URI types are FILE, DIR, PKCS11, PKCS12, and ENV. > > See PKINIT URI Types section for more details. > > > > X509_anchors=URI > > Specify where to find trusted X509 anchor information. > > > > Valid URI types are FILE and DIR. > > See PKINIT URI Types section for more details. > > > > flag_RSA_PROTOCOL[=yes] > > Specify use of RSA, rather than the default > > Diffie-Hellman protocol. > > > Does OpenSolaris have any latitude in changing the attributes or do they > need to be kept verbatim as > they come from MIT code drops?
We have latitude but generally we like to remain as compatible with upstream as possible. > If we do, then the choice of boolean flag_RSA_PROTOCOL[=yes] excluded other > key exchange algorithms, such as ECC. As PKINIT (RFC 4556) doesn't support ECC key exchange I don't see an immediate need for this and is not worth (in my opinion) breaking MIT compatibility for it now. I should note that this config file option is "Volatile". -Mark
