[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
From: "Timothy J. Miller" <tmiller@mitre.org>
Date: Mon, 28 Jan 2008 08:44:47 -0600
Cc: heimdal-discuss@sics.se
In-Reply-To: <37AB5B0F-20FB-4B1B-92B0-A1C79AF19643@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <6455A0C9-FF84-46A3-A05F-DDC6C0500A12@mitre.org> <37AB5B0F-20FB-4B1B-92B0-A1C79AF19643@kth.se>
Reply-To: heimdal-discuss@sics.se, "Timothy J. Miller" <tmiller@mitre.org>

On Jan 27, 2008, at 7:09 AM, Love Hörnquist Åstrand wrote:

> For the krb5_pk_create_sign(), how about the code searches for IETF  
> EKU, the mssmartcard-login eku and then w/o an eku instead. Would  
> that no allow no change to the API ?

I debated this but thought the additional cost of passing through the  
cert list multiple times would be a waste.  I've also started  
thinking along the lines of generalizing the selection process so  
that arbitrary criteria could be set (much like MIT) and it seems to  
me that the less special-case code there is in _krb5_pk_create_sign()  
the better it will be in pursuing this.

Another option would be to read the config file again for  
pkinit_win2k or pkinit_require_eku inside _krb5_pk_create_sign();  
that would accomplish the same thing without changing the API.  I  
thought about this after I got the patch working so I haven't tried  
it yet.  I'm still figuring out the code.

A last option would be to pass the current context to  
_krb5_pk_create_sign()--a smaller API change but a change  
nonetheless--but when I tried this I couldn't get it to work.  I  
don't remember what the problem was; most likely just inattention to  
detail on my part.

Is changing the API of an internal, non-exported function a big  
deal?  (I ask for future reference :)

-- Tim

smime.p7s

Follow-Ups:
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: =?WINDOWS-1252?Q?Love_H=F6rnquist_=C5strand?= <lha@kth.se>

Prev by Date: AP REQUEST decrypt using shared secret
Next by Date: Re: Tickets without realm?
Prev by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Index(es):
- Date
- Thread