directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrique Rodriguez" <enriqu...@gmail.com>
Subject Re: [Kerberos] PKINIT support
Date Sun, 23 Sep 2007 23:04:47 GMT
On 9/22/07, Alex Karasulu <akarasulu@apache.org> wrote:
> IMO if you have some time you might want to start work on some developer
> documentation
> on DNS as well as a user's guide so we can attract more committers while
> answering user
> questions around DNS.
> ...

Point taken.  I will prioritize this higher than new features, such as
PKINIT or StartTLS.

> ...
> Secondly with respect to technical matters how does this impact what we have
> in Triplesec
> with HOTP?  Is this another SAM type for the kerberos server which uses the
> class loading
> scheme we already have in place for verifiers?

My plan is to make pre-auth verifiers "pluggable" in the same way that
core Authenticators can be configured via Spring XML.  I am committed
to supporting Triplesec such that the HOTP verifier works after this
configuration change.  Though, since last I checked, Triplesec builds
against a 1.0, this is moot until Triplesec moves to the next stable
branch.

The class loading scheme only allows one plug-in.  This
configuration/plugin change is separate from PKINIT, which would use
this "plugin point" just like HOTP will.

PKINIT is not another SAM type.  PKINIT has its own base RFC with its
own pre-auth type.

Enrique

Mime
View raw message