directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Anonymous PKINIT support
Date Wed, 13 Sep 2017 06:20:51 GMT
Thanks Colm for the sharing and telling the story!!

The blog looks pretty informative. I thought we should list or mention it somewhere in our
Directory/Kerby projects.

Regards,
Kai

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Monday, September 11, 2017 7:30 PM
To: Zheng, Kai <kai.zheng@intel.com>
Cc: kerby@directory.apache.org
Subject: Re: Anonymous PKINIT support

OK thanks! I wrote up the "access token" case as part of a blog post in the context of a kerberized
JAX-RS web service request using Apache CXF:

http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html

Colm.

On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Thanks Colm for the take. I'll try to bring up the context in my mind 
> and give you some comments later.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Friday, September 08, 2017 10:38 PM
> To: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> Now that I've finished the JWT access token work, it'd be nice to 
> finish the Anonymous PKINIT side of things to get the Identity token 
> part of it to work. Please review my questions below.
>
> Colm.
>
> On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh 
> <coheigea@apache.org
> >
> wrote:
>
> > Hi all,
> >
> > As per the recent email on JWT, I'd like to look at the outstanding 
> > issues surrounding anonymous PKINIT support in Kerby.
> >
> > a) Last year I raised concerns about the KDC not signing the response:
> >
> > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.htm
> > l
> >
> > Currently, we don't use the private key at all in the KDC when it is 
> > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
> >
> > https://tools.ietf.org/html/rfc6112
> >
> > "If the KDC's signature is missing in the KDC reply
> >    (the reply is anonymous), the client MUST reject the returned ticket
> >    if it cannot authenticate the KDC otherwise."
> >
> > I don't really see how the client can authenticate the KDC as things 
> > stand, so I think we need to sign the KDC response and enforce a 
> > signature on the client side.
> >
> > b) From the MIT page:
> >
> > "If you need to enable anonymity support for TGTs (for use as FAST 
> > armor
> > tickets) without enabling anonymous authentication to application 
> > servers, you can set the variable restrict_anonymous_to_tgt to true 
> > in the appropriate [realms] subsection of the KDC’s kdc.conf file."
> >
> > Is this supported by Kerby? I'm guessing not, but we should add 
> > support for it.
> >
> > c) Is there a way to differentiate between anonymous + authenticated 
> > PKINIT in the KDC configuration? What if you don't want to allow the 
> > anonymous case?
> >
> > Colm.
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message