[37925] in Kerberos
Re: elliptic curve pkinit?
daemon@ATHENA.MIT.EDU (Bob McElrath)
Mon Apr 3 11:24:16 2017
From: Bob McElrath <bob@vidaidentity.com>
To: Rick van Rein <rick@openfortress.nl>,
"krb@pallissard.net"
<krb@pallissard.net>
Date: Mon, 3 Apr 2017 15:24:01 +0000
Message-ID: <1491233041009.26759@vidaidentity.com>
In-Reply-To: <58E241C2.5040208@openfortress.nl>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
We are using MIT Kerberos with PKINIT using certificates using the secp256k1 curve. It works fine. I believe the certificates can be signed with any elliptic curve that openssl knows how to verify.
Internally the MIT implementation uses ephemeral Diffie-Hellman on RSA. Perhaps that is what Greg meant with his "no" answer?
________________________________________
From: kerberos-bounces@mit.edu <kerberos-bounces@mit.edu> on behalf of Rick van Rein <rick@openfortress.nl>
Sent: Monday, April 3, 2017 8:36 AM
To: krb@pallissard.net
Cc: kerberos@mit.edu
Subject: Re: elliptic curve pkinit?
Hey,
> Has MIT kerberos implemented pkinit with elliptic curve certs/keys? Some initial searching points me to an informational ietf RFC posted out there, but nothing official.
FWIW, in the ARPA2 project we're working on Realm Crossover (based on
DANE/DNSSEC) which uses ECDHE. The protocol is almost compatible with
PKINIT, but not quite on account of a technicality (no tickets in the
reply). The work leaves openings for client-to-KDC access, but doesn't
fill them in.
http://k5wiki.kerberos.org/wiki/Projects/Realm_Crossover_between_KDCs
http://realm-xover.arpa2.net/kerberos.html
A glimpse at upcoming software (and the earlier PoC) are on
https://github.com/arpa2/kxover
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos