[37065] in Kerberos
Re: Differentiate the ServiceTicket issued from Kinit vs PKinit
daemon@ATHENA.MIT.EDU (Jim Shi)
Wed Jun 3 18:53:17 2015
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Jim Shi <hanmao_shi@apple.com>
In-reply-to: <201506031339.t53DdO2Z021759@hedwig.cmf.nrl.navy.mil>
Date: Wed, 03 Jun 2015 15:52:51 -0700
Message-id: <54E01304-EF2D-4CDE-8530-A3ABAAC29F66@apple.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu, Aravind Jerubandi <aravind.jerubandi@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi, Ken,
The TGS ticket flag is set on KDC server. When the client get TGS back from the server, he/she is able to see the flag set by the KDC. Looks klist commands will show flags.
However if the client passes the ticket to some service for verification, , the service will not be able see the these flags. Is that right? My understanding is that these flags are not passed to service??
Thanks
Jim
> On Jun 3, 2015, at 6:39 AM, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>
>> Does this mean the client certificate should have the policy :
>> 1.3.6.1.4.1.311.20.2.2
>> (Smart Card Logon)?
>>
>> Is it only the client certificate or CA cert should also have this policy?
>
> Well, we don't use that particular OID; we use another one defined by our
> CA that indicates it comes from an approved Smart Card. But that's the
> basic idea.
>
> I don't want to get into a whole discussion about certificate policy;
> that's sort of outside of the scope of this thread. I will say that in
> our particlar case, it only matters that the client certificate has that
> policy OID on it and that's all our implementation checks for.
>
> And let me be clear; this is not something that exists in the supplied
> MIT Kerberos pkinit module. This is our own version of it. I've
> talked with MIT about incorporating our changes into their module,
> and they have been receptive; I just haven't had time recently to
> deal with it.
>
> --Ken
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
