> From: Jim Rees <[EMAIL PROTECTED]>
> To: Marcus Watts <[EMAIL PROTECTED]>
> Cc: [email protected]
> Message-ID: <[EMAIL PROTECTED]>
> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
> Date: Fri, 30 Mar 2007 14:34:21 -0500
>
> The citi implementation of pkinit is in the MIT kerberos source tree, but I
> don't think it has made it in to an official release yet. It has two
> interfaces for doing its pk work. One is pkcs11, which can be used to talk
> to a smartcard or other secure hardware (or even software) token. The other
> simply reads certs and keys out of a file. It requires a client cert, not
> just a key.
>
> Heimdal has its own pkinit implementation. It interoperates with ours. I
> don't know much more about it.
>
> Microsoft of course has their own implementation which doesn't match the
> rfc. We do, however, interoperate with them. MacOS also has an
> implementation. Last time I looked it was based on an early draft of the
> rfc but I'm sure that has changed. It uses the Mac crypto api.
>
> I don't think pkinit could be used to obtain a host context without a host
> key, but maybe someone could think of a way.
draft-ietf-krb-wg-anon-03.txt proposes a way a client could get a ticket
without a client side identity, using DH. This actually looks more
useful than PKU2U. However, it does require kdc changes; PKU2U merely
requires library changes + gssapi.
-Marcus Watts
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
