[39600] in Kerberos
Re: interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sat Apr 4 20:29:13 2026
From: Russ Allbery <eagle@eyrie.org>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <adGe0bBqzemrS68g@ubby> (Nico Williams's message of "Sat, 4 Apr
2026 18:29:21 -0500")
Date: Sat, 04 Apr 2026 17:28:49 -0700
Message-ID: <87a4vimeri.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kenh@cmf.nrl.navy.mil, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Nico Williams <nico@cryptonector.com> writes:
> As Geoff explained in his reply, the idea is that the KDC can synthesize
> a KDB entry for any principal that doesn't exist in the KDB but for
> which a client certificate is presented (with a PKINIT SAN, issued by a
> CA trusted for that and the realm in question) and issue a ticket.
Ah, yes, right, of course. I had completely forgotten about that.
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
