[17159] in Kerberos_V5_Development
Re: NSS for PKINIT, in-progress patches available, feedback sought
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Tue Sep 13 01:13:32 2011
Mime-Version: 1.0 (Apple Message framework v1084)
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <mailman.535.1315499808.29672.krbdev@mit.edu>
Date: Mon, 12 Sep 2011 22:13:23 -0700
Message-Id: <CF4EDD90-4EFC-493F-87EA-FDCA6E104EB8@jpl.nasa.gov>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sep 8, 2011, at 9:36 AM, krbdev-request@mit.edu wrote:
> The build machinery patch also adds recognition of "NSS:" identity
> types, to allow NSS databases to be used, though as that also implicitly
> adds CA certificates in the database to the set of trusted CAs, which
> can surprise people who are used to the way it works now, that might
> have to be dropped.
A lot of hard-core PKI types don't understand this, but the set of CAs which you trust to verify log-in-able certificates (e.g. for PKINIT) is unlikely to be the same as the ones canned into your browser. To give you a specific example: the NASA CA is under the US Treasury, which is not trusted by any OS or browser AFAIK. OTOH the mainland Chinese CA (CNNIC) *is* trusted by everyone.
Do I need to explain why that might make sense to the CAB Forum, but not for my PKINIT deployment? Who you allow as a trust anchor is application and LoA dependent.
If I understand what you're saying, then I don't think you did anything wrong. There needs to be some clear documentation of the side effects of referencing a database and a recommendation that you strictly limit the allowed trust anchors everywhere.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
