Re: pkinit_require_eku

[Love Hörnquist Åstrand <lha@kth.se>]

1 dec 2006 kl. 12.27 skrev Michael Ströder:

> Love Hörnquist Åstrand wrote:
>>
>>> And is it a necessary requirement to have eku field in the
>>> certificates ?
>>
>> Its required to have the PK-INIT EKU in the KDC's certificate by
>> the RFC specifying PK-INIT.
>
> Looking at RFC 4556 (PKINIT) I see the OIDs and data structures  
> differs
> from what is needed for smartcard logon with MS AD at the moment. Is
> that right?
>
> I'm currently designing certificate profiles for client authentication
> certs and server certs. Should I add these OIDs to EKU extension for
> future PKINIT implementations? I wonder where this all is heading...

Micrsoft Vista will use the PK-INIT eku/subjectAltName for the KDC  
certificate
from what I understand when talking to the Microsoft developers.

I didn't not write a about client certificates since its both simpler
and harder to deal with. w2k(3) doesn't support smartcard login without
that ms smartcard EKU unless its turned off in the KDC
(I know its possible, just not how).

For many the smartcard profiles its not possible to add an extra
EKU/SAN since its the the Kerberos people that drives the process,
with this in mind, the client certs needs work even without
any special EKU/SAN, and I think windows vista will do that too,
heimdal only uses the subject dn right now.

Love