[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PK-INIT update

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> Outstanding!
> I will probably be experimenting with this in a few weeks (if I don't
> have to spend too much time with SecurID anyway).  Is this a "use the
> source Luke" kind of thing, or is there some documentation of how
> it's supposed to work somewhere?

Most of the documentation is already there, its just somewhat fragmented.


Also, all the magic bits that needs to go into certificates (EKU's and
SAN's) are documented either. OTOH they are not checked by the KDC/client
either yet.

> I'm going to wind up in the same situation as Doug E. it appears,
> except I'll probably want MacOS support in Tiger, and maybe Panther,
> not just Leopard.  I don't suppose anyone else is doing an
> Authorization Services plug-in?

Heimdal kinit works just fine on MacOS, not sure if I'll ever get around it
do any mac os integration work.


> On Apr 7, 2006, at 4:19 AM, Love Hörnquist Åstrand wrote:
>> Hello,
>> At last kerberos interop meeting in Boston we tested, among other
>> things,
>> Heimdal PK-INIT with other implementations and got them to work for
>> every
>> kind of certificate we tried. Both using heimdal as a KDC and as a
>> client.
>> In this test I used newly commited code for the X509/CMS part of PK- 
>> called hx509 and is included in Heimdal.
>> The syntax in the configuration file have changed slightly, other than
>> that, it works the same way as the code based on OpenSSL's libcrypto.
>> The new addition is native support reading certificate stores in
>> the format
>> ofPKCS11, PKCS12 (.pfx/.p11), and directories.
>> If you try tonights snapshot, it should work for you.
>> I've updated the webpage and will try to write documentation on how to
>> create certificates to use as a client and KDC.
>> Love
> ------------------------------------------------------------------------ 
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

PGP signature