On 02/02/2017 06:04 AM, Jacques Henry wrote: > When talking to the draft9 are you referring to this? > https://tools.ietf.org/html/draft-ietf-cat-kerberos-pk-init-09
Yes. Microsoft implemented this version of PKINIT and shipped it in Windows 2000, Windows XP, and Server 2003. Later versions of Windows software implement both the draft 9 version of PKINIT and the final version. > Indeed, I don't understand this fallback for a wrong PIN. It's an accident of how preauth is performed. The KDC offers both PKINIT mechanisms and our preauth framework tries them in order. The framework does not know that the two mechanisms are different versions of the same standard, or that the client-side failure from the first module was due to incorrect user input. I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8544 about this incorrect fallback. A conservative fix should be pretty simple. > I have activated the DEBUG_ASN1 flag so I get up with the following file: > /tmp/client_received_pkcs7_signeddata If you send me that file as an attachment (no need to cc the list), I can have a look. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos