[37056] in Kerberos
Re: Differentiate the ServiceTicket issued from Kinit vs PKinit
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Wed Jun 3 09:39:40 2015
Message-Id: <201506031339.t53DdO2Z021759@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Aravind Jerubandi <aravind.jerubandi@gmail.com>
In-Reply-To: <CAFiFpnnHTYGEpRGFOO2PUJ6g9gf8L9DvmXj9idU3esdwu_hbEA@mail.gmail.com>
MIME-Version: 1.0
Date: Wed, 03 Jun 2015 09:39:31 -0400
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Does this mean the client certificate should have the policy :
>1.3.6.1.4.1.311.20.2.2
> (Smart Card Logon)?
>
>Is it only the client certificate or CA cert should also have this policy?
Well, we don't use that particular OID; we use another one defined by our
CA that indicates it comes from an approved Smart Card. But that's the
basic idea.
I don't want to get into a whole discussion about certificate policy;
that's sort of outside of the scope of this thread. I will say that in
our particlar case, it only matters that the client certificate has that
policy OID on it and that's all our implementation checks for.
And let me be clear; this is not something that exists in the supplied
MIT Kerberos pkinit module. This is our own version of it. I've
talked with MIT about incorporating our changes into their module,
and they have been receptive; I just haven't had time recently to
deal with it.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
