>in our organisation we are successfully using PKINIT with RSA 2048 >client certificates for many years. We are now trying to move to ECC >certificates with the curve secp384r1. > >All attempts have been unsuccessful yet.
My reading of the code (I am using a newer version of MIT Kerberos than you) is that RSA is hard-coded as the signing algorithm. So it looks like it won't work (I am confident that if I am wrong someone will correct me). I know that at least at our site we're going to have to transition to some kind of post-quantum signing algorithm in the future like many others so I think that eventually this support will be added, but that doesn't help you now unfortunately. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos