in Kerberos-V5-bugs
[krbdev.mit.edu #8733] Multiple pkinit_identities semantics are
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Sep 5 13:04:36 2018
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8733'":;
Date: Wed, 5 Sep 2018 13:04:24 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
The documentation for pkinit_identities states:
This option may be specified multiple
times. Each value is attempted in order until identity
information is found and authentication is attempted.
This could be interpreted in several ways. In reality, the loop in
pkinit_identity_initialize() tries each value until one of them
successfully parses, regardless of whether the parsed values point to
valid identity information. These don't seem like very useful
semantics, but I can think of one useful scenarios: an ENV: value
will fail to parse if the environment variable isn't defined, so the
first value could specify an override variable and the second value
could specify a default. (A PKCS11: value will also fail to parse if
the library has no PKCS11 support, but that doesn't seem very
Other possible semantics for multiple pkinit_identities values
* Try to load all of them into the creds array and then use identity
selection to pick one. This meaning doesn't match the current
documentation but hews closely to what we do for multiple creds
obtained via a single DIR: value.
* Try each value until not just until one of them parses, but until
one of them results in a PKINIT request (as indicated by "and
authentication is attempted" in the documentation).
Both approaches would require substantial code changes and (as far as
I can remember) nobody has really asked for either of them, so
clarifying the documentation may be the best change for now.
krb5-bugs mailing list