directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <>
Subject [Kerberos] PKINIT support
Date Sun, 23 Sep 2007 00:47:25 GMT
Hi, Directory developers,

I have a window with no major deadlines for the next few weeks, so I
looked into adding 1 new Kerberos feature for the next release.  After
doing some "due diligence," ie reading the relevant specs and
reviewing what support I need from the JDK and various libraries, I am
highly confident I can add PKINIT support for 1.5.2.

PKINIT is a pre-authentication type for Kerberos (detailed in RFC
4556).  For those not familiar, PKINIT can be quickly summarized as
"smartcard authentication for Kerberos, replacing the
username/password."  PKINIT can also work with a local keypair, so
there isn't a requirement for hardware like an actual smartcard,
though that is the intended deployment scenario.

Since this is only a new pre-authentication verifier, I would rather
not branch and instead develop this, at first, in my sandbox.  I have
time starting this weekend, so I'd like to start to get code
committed, to back the code up.


View raw message