[OpenAFS] "public" pkinit service without database-overflow risk?

Adam Megacz megacz@cs.berkeley.edu
Tue, 03 Jan 2006 17:15:17 -0800


"Douglas E. Engert" <deengert@anl.gov> writes:
> And this is where PKINIT may play a much bigger roll. The "cross trust"
> is done at the PKI level, and certificates are enrolled in the local realm
> as needed.

Is it feasible for a PKINIT-aware KDC to issue session keys to
KRB_NT_X500_PRINCIPAL's without having to retain any record of the
transaction (ie not keeping a copy of the certificate or session key)?

I'm not aware of any existing KDC implementations that will issue
tickets to an entity that isn't already in the database -- or for
which there is not already an explicit "mapping" entry of some sort.
The pkinit patch for Heimdal requires a "pki-allowed-principals"
explicit mapping section in the KDC config.

In theory this should be possible, although to prevent denial of
service attacks, it would have to be done as I mention in the first
paragraph -- it would have to be "stateless".

>From RFC4120 and the PKINIT draft 16 I don't immediately see any
problems with this.  Could somebody with more knowledge of Kerberos
than I comment on potential obstacles to this?

  - a