[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Changes to PKINIT

Hej Daniel

> I hope you'll find the modifications useful and possibly add them to the main
> code.

I find the code most useful. My comments so far are:

* The proxy certificate code should be mostly a non brainer, and part of
  the code might actually be good for following the PK-INIT spec. It
  requires the client to send the certificate chain to the KDC, the code
  don't do that today.

* Globus GSI is based on OpenSSL ? It looks that way the X509 structure is
  passed into the globus_gsi_cert_utils_get_cert_type().

* What does the callbacks into globus do ?

* You have seen that I've added pk-init ACLs to the new HDB extentions,
  they might solve your problem needing to reload the ACLs file. On the
  issue I think the KDC should just reload the CRT files when they changes
  by itself so there is no need to HUP the KDC, this would be just like the
  just like the database works today. Same thing goes for OCSP data that
  might be included in the reply from the KDC.

* I think the time checking is wrong (UTCTime vs GeneralizedTime). Can you
  use some builtin function from OpenSSL do have it deal for
  you. X509_cmp_time seems hideous but should do the work for you.

  Its a very good idea to check and should be in security considerations in
  the pk-init draft, I'll send a mail to krb-wg list about it. Thanks!

* I agree that the proxy certificate stuff might not be enough checking,
  but I don't know what OpenSSL is supposed to check. I fear that
  documentation is usual OpenSSL style and we have to guess what the caller
  is supposed to do itself. The is_proxy() code runs after the chain
  verification, so I would hope that the existance of PROXYCERTINFO in the
  certificate should be enough to check if it proxy cert or not, but then I
  have to read over the documentation/code to verify that.

What version are you running ?

Do you feel for fixing some of my comments I had on the code (time issues)
and issue a new patch ? If not, I'll deal with the patch later.


PGP signature