[OpenAFS-devel] openafs - proposed cache security improvement
Jim Rees
rees@umich.edu
Fri, 30 Mar 2007 14:34:21 -0500
The citi implementation of pkinit is in the MIT kerberos source tree, but I
don't think it has made it in to an official release yet. It has two
interfaces for doing its pk work. One is pkcs11, which can be used to talk
to a smartcard or other secure hardware (or even software) token. The other
simply reads certs and keys out of a file. It requires a client cert, not
just a key.
Heimdal has its own pkinit implementation. It interoperates with ours. I
don't know much more about it.
Microsoft of course has their own implementation which doesn't match the
rfc. We do, however, interoperate with them. MacOS also has an
implementation. Last time I looked it was based on an early draft of the
rfc but I'm sure that has changed. It uses the Mac crypto api.
I don't think pkinit could be used to obtain a host context without a host
key, but maybe someone could think of a way.