Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E0139200CE6 for ; Fri, 15 Sep 2017 16:20:39 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id DE5EC1609D1; Fri, 15 Sep 2017 14:20:39 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2E1CB1609CF for ; Fri, 15 Sep 2017 16:20:39 +0200 (CEST) Received: (qmail 21449 invoked by uid 500); 15 Sep 2017 14:20:37 -0000 Mailing-List: contact kerby-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: kerby@directory.apache.org Delivered-To: mailing list kerby@directory.apache.org Received: (qmail 21434 invoked by uid 99); 15 Sep 2017 14:20:37 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Sep 2017 14:20:37 +0000 Received: from mail-pg0-f47.google.com (mail-pg0-f47.google.com [74.125.83.47]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 088F01A012B for ; Fri, 15 Sep 2017 14:20:36 +0000 (UTC) Received: by mail-pg0-f47.google.com with SMTP id 188so1597351pgb.2 for ; Fri, 15 Sep 2017 07:20:36 -0700 (PDT) X-Gm-Message-State: AHPjjUhOZqCdS996m8NV1z0Zcod2EmPp/vLGqy+DGGut5kNkqA06xw41 vKRYogfRQRqEGODBsdnjACD9Xdf8EGCkYYhwNq0= X-Google-Smtp-Source: ADKCNb6lHIxw1wI27zwLSsINpECFuPPNATOC6raN5gKr+3pMJSovtIDKFFe8fyJGnglEC2DEAnRqxeY7w4timjHGbuI= X-Received: by 10.84.129.193 with SMTP id b59mr27955083plb.43.1505485236157; Fri, 15 Sep 2017 07:20:36 -0700 (PDT) MIME-Version: 1.0 Reply-To: coheigea@apache.org Received: by 10.100.149.4 with HTTP; Fri, 15 Sep 2017 07:20:35 -0700 (PDT) In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B66662B209AE@SHSMSX103.ccr.corp.intel.com> References: <8D5F7E3237B3ED47B84CF187BB17B66662B19626@SHSMSX103.ccr.corp.intel.com> <8D5F7E3237B3ED47B84CF187BB17B66662B209AE@SHSMSX103.ccr.corp.intel.com> From: Colm O hEigeartaigh Date: Fri, 15 Sep 2017 15:20:35 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Anonymous PKINIT support To: kerby@directory.apache.org Content-Type: multipart/alternative; boundary="94eb2c11b822b7481d05593b186e" archived-at: Fri, 15 Sep 2017 14:20:40 -0000 --94eb2c11b822b7481d05593b186e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I added a "tutorials" section to the website with two tutorials I wrote for Kerby: http://directory.apache.org/kerby/tutorials.html On Wed, Sep 13, 2017 at 7:20 AM, Zheng, Kai wrote: > Thanks Colm for the sharing and telling the story!! > > The blog looks pretty informative. I thought we should list or mention it > somewhere in our Directory/Kerby projects. > > Regards, > Kai > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > Sent: Monday, September 11, 2017 7:30 PM > To: Zheng, Kai > Cc: kerby@directory.apache.org > Subject: Re: Anonymous PKINIT support > > OK thanks! I wrote up the "access token" case as part of a blog post in > the context of a kerberized JAX-RS web service request using Apache CXF: > > http://coheigea.blogspot.ie/2017/09/integrating-json-web-tokens-with.html > > Colm. > > On Sat, Sep 9, 2017 at 5:50 AM, Zheng, Kai wrote: > > > Thanks Colm for the take. I'll try to bring up the context in my mind > > and give you some comments later. > > > > Regards, > > Kai > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org] > > Sent: Friday, September 08, 2017 10:38 PM > > To: kerby@directory.apache.org > > Subject: Re: Anonymous PKINIT support > > > > Now that I've finished the JWT access token work, it'd be nice to > > finish the Anonymous PKINIT side of things to get the Identity token > > part of it to work. Please review my questions below. > > > > Colm. > > > > On Tue, Jun 20, 2017 at 12:39 PM, Colm O hEigeartaigh > > > > > > wrote: > > > > > Hi all, > > > > > > As per the recent email on JWT, I'd like to look at the outstanding > > > issues surrounding anonymous PKINIT support in Kerby. > > > > > > a) Last year I raised concerns about the KDC not signing the response= : > > > > > > https://www.mail-archive.com/kerby@directory.apache.org/msg00808.htm > > > l > > > > > > Currently, we don't use the private key at all in the KDC when it is > > > configured as part of KdcConfigKey.PKINIT_IDENTITY. The spec says tha= t: > > > > > > https://tools.ietf.org/html/rfc6112 > > > > > > "If the KDC's signature is missing in the KDC reply > > > (the reply is anonymous), the client MUST reject the returned tick= et > > > if it cannot authenticate the KDC otherwise." > > > > > > I don't really see how the client can authenticate the KDC as things > > > stand, so I think we need to sign the KDC response and enforce a > > > signature on the client side. > > > > > > b) From the MIT page: > > > > > > "If you need to enable anonymity support for TGTs (for use as FAST > > > armor > > > tickets) without enabling anonymous authentication to application > > > servers, you can set the variable restrict_anonymous_to_tgt to true > > > in the appropriate [realms] subsection of the KDC=E2=80=99s kdc.conf = file." > > > > > > Is this supported by Kerby? I'm guessing not, but we should add > > > support for it. > > > > > > c) Is there a way to differentiate between anonymous + authenticated > > > PKINIT in the KDC configuration? What if you don't want to allow the > > > anonymous case? > > > > > > Colm. > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > --=20 Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --94eb2c11b822b7481d05593b186e--