Hi Colm,
OK. Will do.
Thanks,
Sammi
-Original Message-
From: Colm O hEigeartaigh [mailto:cohei...@apache.org]
Sent: Tuesday, September 27, 2016 8:23 PM
To: Chen, Sammi
Cc: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT signatures
Hi Sammi,
Yes let's release RC3 soon if it's
...@apache.org
Subject: RE: Anonymous PKINIT signatures
Hi Colm,
When I looking at the krb5 source code, I found the function
cms_signeddata_verify in pkinit_crypto_openssl.c with the following comments:
" if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
((si = sk_CMS_SignerInfo_
Hi Jiajia,
So if I understand you correctly, what you are saying is that it is
sufficient to verify that the Subject (alternative name) of the Certificate
matches that of the "known principal" of the KDC? In other words, the KDC
is not doing any asymmetric signature, it is just "presenting" the
Hi Colm,
>> >However, I can't see where it is signing the response with the private key
>> >associated with the KDC. This is a requirement for anonymous PKINIT
Yes, you are right. The "Identity" should be used in anonymous PKINIT.
But now in client PkinitPreauth, start from line 393, we skip to