directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Anonymous PKINIT support
Date Sat, 09 Sep 2017 04:50:50 GMT
Thanks Colm for the take. I'll try to bring up the context in my mind and give you some comments
later.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Friday, September 08, 2017 10:38 PM
To: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT support

Now that I've finished the JWT access token work, it'd be nice to finish the Anonymous PKINIT
side of things to get the Identity token part of it to work. Please review my questions below.

Colm.

On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh <coheigea@apache.org>
wrote:

> Hi all,
>
> As per the recent email on JWT, I'd like to look at the outstanding 
> issues surrounding anonymous PKINIT support in Kerby.
>
> a) Last year I raised concerns about the KDC not signing the response:
>
> https://www.mail-archive.com/kerby@directory.apache.org/msg00808.html
>
> Currently, we don't use the private key at all in the KDC when it is 
> configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
>
> https://tools.ietf.org/html/rfc6112
>
> "If the KDC's signature is missing in the KDC reply
>    (the reply is anonymous), the client MUST reject the returned ticket
>    if it cannot authenticate the KDC otherwise."
>
> I don't really see how the client can authenticate the KDC as things 
> stand, so I think we need to sign the KDC response and enforce a 
> signature on the client side.
>
> b) From the MIT page:
>
> "If you need to enable anonymity support for TGTs (for use as FAST 
> armor
> tickets) without enabling anonymous authentication to application 
> servers, you can set the variable restrict_anonymous_to_tgt to true in 
> the appropriate [realms] subsection of the KDC’s kdc.conf file."
>
> Is this supported by Kerby? I'm guessing not, but we should add 
> support for it.
>
> c) Is there a way to differentiate between anonymous + authenticated 
> PKINIT in the KDC configuration? What if you don't want to allow the 
> anonymous case?
>
> Colm.
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message