directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Anonymous PKINIT support
Date Fri, 15 Sep 2017 14:20:35 GMT
I added a "tutorials" section to the website with two tutorials I wrote for
Kerby:

http://directory.apache.org/kerby/tutorials.html

On Wed, Sep 13, 2017 at 7:20 AM, Zheng, Kai <kai.zheng@intel.com> wrote:

> Thanks Colm for the sharing and telling the story!!
>
> The blog looks pretty informative. I thought we should list or mention it
> somewhere in our Directory/Kerby projects.
>
> Regards,
> Kai
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Monday, September 11, 2017 7:30 PM
> To: Zheng, Kai <kai.zheng@intel.com>
> Cc: kerby@directory.apache.org
> Subject: Re: Anonymous PKINIT support
>
> OK thanks! I wrote up the "access token" case as part of a blog post in
> the context of a kerberized JAX-RS web service request using Apache CXF:
>
> http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html
>
> Colm.
>
> On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai <kai.zheng@intel.com> wrote:
>
> > Thanks Colm for the take. I'll try to bring up the context in my mind
> > and give you some comments later.
> >
> > Regards,
> > Kai
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Friday, September 08, 2017 10:38 PM
> > To: kerby@directory.apache.org
> > Subject: Re: Anonymous PKINIT support
> >
> > Now that I've finished the JWT access token work, it'd be nice to
> > finish the Anonymous PKINIT side of things to get the Identity token
> > part of it to work. Please review my questions below.
> >
> > Colm.
> >
> > On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh
> > <coheigea@apache.org
> > >
> > wrote:
> >
> > > Hi all,
> > >
> > > As per the recent email on JWT, I'd like to look at the outstanding
> > > issues surrounding anonymous PKINIT support in Kerby.
> > >
> > > a) Last year I raised concerns about the KDC not signing the response:
> > >
> > > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.htm
> > > l
> > >
> > > Currently, we don't use the private key at all in the KDC when it is
> > > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says that:
> > >
> > > https://tools.ietf.org/html/rfc6112
> > >
> > > "If the KDC's signature is missing in the KDC reply
> > >    (the reply is anonymous), the client MUST reject the returned ticket
> > >    if it cannot authenticate the KDC otherwise."
> > >
> > > I don't really see how the client can authenticate the KDC as things
> > > stand, so I think we need to sign the KDC response and enforce a
> > > signature on the client side.
> > >
> > > b) From the MIT page:
> > >
> > > "If you need to enable anonymity support for TGTs (for use as FAST
> > > armor
> > > tickets) without enabling anonymous authentication to application
> > > servers, you can set the variable restrict_anonymous_to_tgt to true
> > > in the appropriate [realms] subsection of the KDC’s kdc.conf file."
> > >
> > > Is this supported by Kerby? I'm guessing not, but we should add
> > > support for it.
> > >
> > > c) Is there a way to differentiate between anonymous + authenticated
> > > PKINIT in the KDC configuration? What if you don't want to allow the
> > > anonymous case?
> > >
> > > Colm.
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message