[37374] in Kerberos
Re: PKINIT certificate creation with GnuTLS' certtool
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jan 8 19:08:53 2016
To: Rick van Rein <rick@openfortress.nl>,
"kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <56904F80.2040900@mit.edu>
Date: Fri, 8 Jan 2016 19:08:32 -0500
MIME-Version: 1.0
In-Reply-To: <56904D4C.60400@openfortress.nl>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 01/08/2016 06:59 PM, Rick van Rein wrote:
> kdc_principal_seq mentions name_type==1, or NT-PRINCIPAL. Should
> this not be NT-SRV-INST [Section 6.2 of RFC4120] or does PKINIT not
> care in practice? (The spec does not, but how about implementations?)
I don't think any implementations care; ours certainly does not. But I
agree that a name_type of 2 would be more appropriate.
> principals contains a single GeneralString holding ${ENV::CLIENT} —
> AFAIK this is hardcoded to only cover rick@ but not rick/admin@ right?
Yes; the config section has to be modified to handle a two-component
principal name.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
