Re: PKINIT Diffie-Hellman support

[Daniel Kouril <kouril@ics.muni.cz>]

On Fri, May 24, 2002 at 11:23:17AM -0700, Partha Saha wrote:
> Hi Dan,
Hi Partha,

> I thank you for bringing out a PKINIT patch to Heimdal.  It is
> a significant contribution to people who have to use Kerberos
> for a living.
> 
> However,
> 
> >From draft-ietf-cat-kerberos-pk-init-15.txt:
> 
> PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in
>     combination with DSA keys as the primary, required mechanism.
> 
> >From more recent draft-ietf-cat-kerberos-pk-init-16.txt
> 
> PKINIT utilizes ephemeral-ephemeral Diffie-Hellman keys in
>     combination with RSA keys as the primary, required mechanism.

I know there are some places where the implementation doesn't comply with the
specification. But my primary goal is to support our users who already have
their X.509 certficates and want to access our kerberos enviroment. Therefore
I'll focus mainly on creating the current implemenation as stable as possible
and not going to implement the DH support (since I'm affraid I would have to
spent much time on it). Ofcourse, if anyone is willing to implement it I'd
give them as much support as I can.

> 
> How is the AS-reply encrypted if DH is not used as per spec?

it' encrypted with the user's public key (well, it's a bit more complicated 
but the idea is this).

cheers

--
Dan