[37066] in Kerberos
Re: Differentiate the ServiceTicket issued from Kinit vs PKinit
daemon@ATHENA.MIT.EDU (Jim Shi)
Wed Jun 3 19:46:59 2015
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Jim Shi <hanmao_shi@apple.com>
In-reply-to: <54E01304-EF2D-4CDE-8530-A3ABAAC29F66@apple.com>
Date: Wed, 03 Jun 2015 16:46:37 -0700
Message-id: <022A12F1-2667-4C6A-99CF-F4FF754F21B4@apple.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu, Aravind Jerubandi <aravind.jerubandi@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Never mind. I assume the flags is inside the ticket.
Thanks
Jim
> On Jun 3, 2015, at 3:52 PM, Jim Shi <hanmao_shi@apple.com> wrote:
>
> Hi, Ken,
> The TGS ticket flag is set on KDC server. When the client get TGS back from the server, he/she is able to see the flag set by the KDC. Looks klist commands will show flags.
>
> However if the client passes the ticket to some service for verification, , the service will not be able see the these flags. Is that right? My understanding is that these flags are not passed to service??
>
>
>
> Thanks
> Jim
>
>
>
>
>
>> On Jun 3, 2015, at 6:39 AM, Ken Hornstein <kenh@cmf.nrl.navy.mil <mailto:kenh@cmf.nrl.navy.mil>> wrote:
>>
>>> Does this mean the client certificate should have the policy :
>>> 1.3.6.1.4.1.311.20.2.2
>>> (Smart Card Logon)?
>>>
>>> Is it only the client certificate or CA cert should also have this policy?
>>
>> Well, we don't use that particular OID; we use another one defined by our
>> CA that indicates it comes from an approved Smart Card. But that's the
>> basic idea.
>>
>> I don't want to get into a whole discussion about certificate policy;
>> that's sort of outside of the scope of this thread. I will say that in
>> our particlar case, it only matters that the client certificate has that
>> policy OID on it and that's all our implementation checks for.
>>
>> And let me be clear; this is not something that exists in the supplied
>> MIT Kerberos pkinit module. This is our own version of it. I've
>> talked with MIT about incorporating our changes into their module,
>> and they have been receptive; I just haven't had time recently to
>> deal with it.
>>
>> --Ken
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/kerberos <https://mailman.mit.edu/mailman/listinfo/kerberos>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
