[OpenAFS-devel] openafs - proposed cache security improvement

Jim Rees rees@umich.edu
Fri, 30 Mar 2007 14:34:21 -0500


The citi implementation of pkinit is in the MIT kerberos source tree, but I
don't think it has made it in to an official release yet.  It has two
interfaces for doing its pk work.  One is pkcs11, which can be used to talk
to a smartcard or other secure hardware (or even software) token.  The other
simply reads certs and keys out of a file.  It requires a client cert, not
just a key.

Heimdal has its own pkinit implementation.  It interoperates with ours.  I
don't know much more about it.

Microsoft of course has their own implementation which doesn't match the
rfc.  We do, however, interoperate with them.  MacOS also has an
implementation.  Last time I looked it was based on an early draft of the
rfc but I'm sure that has changed.  It uses the Mac crypto api.

I don't think pkinit could be used to obtain a host context without a host
key, but maybe someone could think of a way.