[36998] in Kerberos
Re: PKINIT cert chains
daemon@ATHENA.MIT.EDU (Nico Williams)
Thu May 21 16:30:24 2015
Date: Thu, 21 May 2015 15:30:03 -0500
From: Nico Williams <nico@cryptonector.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Message-ID: <20150521203003.GB3791@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E7DE551@001FSN2MPN1-046.001f.mgd2.msft.net>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, May 21, 2015 at 05:35:23PM +0000, Nordgren, Bryce L -FS wrote:
> "Cannot create cert chain: unable to get local issuer certificate"
What from?
> Again, there is a single AS_REQ/KRB_ERROR pair to request preauthentication, with no attempts to contact the KDC after I provide my PIN.
> Questions:
>
> 1] Does my KDC cert have to chain back to the same anchor as my smart card certificates?
In principle, no. In a PKI each relying party can have distinct trust
anchor sets for authenticating peers, and each node can have root CAs
for its own certificate that are not in the local trust anchor set.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
