[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PK-INIT update

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: PK-INIT update
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Mon, 10 Apr 2006 12:55:07 +0200
Cc: Heimdal-discuss list <heimdal-discuss@sics.se>
In-Reply-To: <FAA3C463-7054-4B8A-A76A-E23D5B94059B@jpl.nasa.gov> (Henry B.Hotz's message of "Sun, 9 Apr 2006 20:06:38 -0700")
References: <m21ww9tyy5.fsf@dhcp-wavelan-vo-113.publik.su.se><FAA3C463-7054-4B8A-A76A-E23D5B94059B@jpl.nasa.gov>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/22.0.50 (darwin)


"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> Outstanding!
>
> I will probably be experimenting with this in a few weeks (if I don't
> have to spend too much time with SecurID anyway).  Is this a "use the
> source Luke" kind of thing, or is there some documentation of how
> it's supposed to work somewhere?

Most of the documentation is already there, its just somewhat fragmented.

http://people.su.se/~lha/patches/heimdal/pkinit/

Also, all the magic bits that needs to go into certificates (EKU's and
SAN's) are documented either. OTOH they are not checked by the KDC/client
either yet.

> I'm going to wind up in the same situation as Doug E. it appears,
> except I'll probably want MacOS support in Tiger, and maybe Panther,
> not just Leopard.  I don't suppose anyone else is doing an
> Authorization Services plug-in?

Heimdal kinit works just fine on MacOS, not sure if I'll ever get around it
do any mac os integration work.

Love

>
> On Apr 7, 2006, at 4:19 AM, Love Hörnquist Åstrand wrote:
>
>>
>> Hello,
>>
>> At last kerberos interop meeting in Boston we tested, among other
>> things,
>> Heimdal PK-INIT with other implementations and got them to work for
>> every
>> kind of certificate we tried. Both using heimdal as a KDC and as a
>> client.
>>
>> In this test I used newly commited code for the X509/CMS part of PK- 
>> INIT
>> called hx509 and is included in Heimdal.
>>
>> The syntax in the configuration file have changed slightly, other than
>> that, it works the same way as the code based on OpenSSL's libcrypto.
>>
>> The new addition is native support reading certificate stores in
>> the format
>> ofPKCS11, PKCS12 (.pfx/.p11), and directories.
>>
>> If you try tonights snapshot, it should work for you.
>>
>> I've updated the webpage and will try to write documentation on how to
>> create certificates to use as a client and KDC.
>>
>> Love
>
> ------------------------------------------------------------------------ 
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

PGP signature

References:
- PK-INIT update
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: PK-INIT update
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: PK-INIT update
Next by Date: ldap backend help
Prev by thread: Re: PK-INIT update
Next by thread: Re: PK-INIT update
Index(es):
- Date
- Thread