[39310] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu Nov 16 08:43:35 2023
Message-ID: <202311161341.3AGDfILU018263@hedwig.cmf.nrl.navy.mil>
To: Goetz Golla <mit@sec4mail.de>
cc: kerberos@mit.edu
In-Reply-To: <8984fe41-f9a0-434b-a09c-df2bc88125dc@sec4mail.de>
MIME-Version: 1.0
Date: Thu, 16 Nov 2023 08:41:18 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>in our organisation we are successfully using PKINIT with RSA 2048
>client certificates for many years. We are now trying to move to ECC
>certificates with the curve secp384r1.
>
>All attempts have been unsuccessful yet.
My reading of the code (I am using a newer version of MIT Kerberos than
you) is that RSA is hard-coded as the signing algorithm. So it looks
like it won't work (I am confident that if I am wrong someone will
correct me). I know that at least at our site we're going to have to
transition to some kind of post-quantum signing algorithm in the future
like many others so I think that eventually this support will be added,
but that doesn't help you now unfortunately.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
