[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: Automatic FAST via Anonymous PKINIT
From: Nico Williams <nico () cryptonector ! com>
Date: 2014-06-11 18:51:08
Message-ID: CAK3OfOjF9GqFevmRbb4FJtm5HsF9aOTsB9bmpCEK6tGjgpT5BQ () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jun 11, 2014 at 1:03 PM, Nathaniel McCallum
<npmccallum@redhat.com> wrote:
> On Wed, 2014-06-11 at 13:52 -0400, Greg Hudson wrote:
>> If the KDC knows that the principal cannot authenticate using PKINIT, I
>> don't think it should offer PKINIT at all. Right now, the MIT KDC
>> doesn't know what principals have client certificates issued to them (if
>> any), so it offers PKINIT to all principals if the KDC is configured
>> with a KDC cert. But that's an implementation issue.
>
> Are you suggesting that PKINIT shouldn't be offered even when anonymous
> PKINIT is supported? Put otherwise, that the client should try anonymous
> PKINIT even when not offered it?
It should be offered when the cname is the anon cname, if the AS
supports anon PKINIT.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic