[39341] in Kerberos
Re: Using PKINIT with ECC
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Fri Jan 26 09:04:05 2024
Message-Id: <202401261402.40QE1eBx014040@hedwig.cmf.nrl.navy.mil>
To: Goetz Golla <mit@sec4mail.de>
cc: kerberos@mit.edu
In-Reply-To: <81773b85-0be5-4412-9d64-ca94b2cdd2b7@sec4mail.de>
MIME-Version: 1.0
Date: Fri, 26 Jan 2024 09:01:40 -0500
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Its good to know the reason why MIT Kerberos cannot handle EC
>certificates right now.
I think it's important to be specific here; the issue is specifically
a PKCS#11 token; Greg has already said that a software ECC certificate & key
work fine.
>So is there a way to submit a feature request for ECDSA support in MIT
>Kerberos ?
I have no inner view to the priorities of the MIT development team, so
I can't answer that. I can say I personally have had success by submitting
pull requests to their github page, which I suppose is a roundabout way
of saying that the best way to make this happen is to do it yourself.
I imagine at some time we will be transitioning to ECDSA certificates
so if no one has implemented support by then I will probably do it.
However, it sounds like you need this more urgently than I so I would
not suggest waiting for me.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
