[39599] in Kerberos
Re: interested in discussing some Kerberos improvements
daemon@ATHENA.MIT.EDU (Nico Williams)
Sat Apr 4 19:29:56 2026
Date: Sat, 4 Apr 2026 18:29:21 -0500
From: Nico Williams <nico@cryptonector.com>
To: Russ Allbery <eagle@eyrie.org>
Message-ID: <adGe0bBqzemrS68g@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87o6k0n6fm.fsf@hope.eyrie.org>
Cc: kenh@cmf.nrl.navy.mil, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Apr 02, 2026 at 07:06:37PM -0700, Russ Allbery wrote:
> [...]. (Although also I'm not sure I understand the security
> model of using a PKINIT cert on disk and not a keytab.)
IMO it's strictly better. Though you can still have a keytab as an
optimization.
As Geoff explained in his reply, the idea is that the KDC can synthesize
a KDB entry for any principal that doesn't exist in the KDB but for
which a client certificate is presented (with a PKINIT SAN, issued by a
CA trusted for that and the realm in question) and issue a ticket.
If you want to revoke such a thing you just create a KDB entry for the
given name and mark it locked.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
