directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Anonymous PKINIT signatures
Date Thu, 21 Jul 2016 11:26:40 GMT
Hi all,

I'm continuing to look at anonymous PKINIT as implemented in Kerby. I'm a
bit puzzled by a few things relating to signatures and would welcome some

Looking at the server PkinitPreauth, it appears that Diffie-Hellman is used
to establish a shared secret key with the client. However, I can't see
where it is signing the response with the private key associated with the
KDC. This is a requirement for anonymous PKINIT, unless I am mistaken?

Similarly, on the client side, it's not enough just to verify trust in the
Certificate that's presented, it also needs to be using the Certificate to
verify some signed data, to make sure that the KDC knows the private key
associated with the Certificate...

I've updated the code so that the server at least includes the "Identity"
Certificate in the response to the client.



Colm O hEigeartaigh

Talend Community Coder

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message