[19273] in Kerberos
Re: PKINIT
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Mon May 19 13:10:05 2003
From: Anne & Lynn Wheeler <lynn@garlic.com>
Message-ID: <4r3qeufc.fsf@earthlink.net>
Date: Mon, 19 May 2003 17:08:26 GMT
To: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
Lun <ylhuang@csie.nctu.edu.tw> writes:
> I am now currently installing krb5-1.2.7. Can I perform
> certificate authentication between my KDC and client?
> How to configure a certificate-authenticated principal in
> my KDC? and How to get the certificates for my KDC and principal?
PKINIT allows for initial public key (aka digital signature)
authentication. PKINIT allows for the public key to be provided in a
number of different ways .... either via certificate provided public
key ... as well as registering the public key in effectively the same
manner that a password would be registered.
It isn't mandated that the method for conveying the public key (for
authenticating the corresponding digital signature) only be done by
certificate-based process. It is possible to use existing business
process for registering authentication material ... for register
public key in same business process that would be used for registering
a password. In this manner, the business process stays the same, but
it changes from a shared-secret based authentication material to a
non-shared-secret based authentication material.
--
Anne & Lynn Wheeler | lynn@garlic.com - http://www.garlic.com/~lynn/
Internet trivia, 20th anniv: http://www.garlic.com/~lynn/rfcietff.htm
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
