[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 28 Jan 2008 15:38:13 -0800
Cc: "Timothy J. Miller" <tmiller@mitre.org>
In-Reply-To: <8978F34A-2F2F-4BC5-8797-8E71E3C5F90E@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <6455A0C9-FF84-46A3-A05F-DDC6C0500A12@mitre.org> <37AB5B0F-20FB-4B1B-92B0-A1C79AF19643@kth.se> <2BDE73D6-2FBA-4A71-9E3E-A1166B77CB9C@mitre.org> <8978F34A-2F2F-4BC5-8797-8E71E3C5F90E@kth.se>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Jan 28, 2008, at 2:18 PM, Love Hörnquist Åstrand wrote:

>
> 28 jan 2008 kl. 15.44 skrev Timothy J. Miller:
>
>> On Jan 27, 2008, at 7:09 AM, Love Hörnquist Åstrand wrote:
>>
>>> For the krb5_pk_create_sign(), how about the code searches for  
>>> IETF EKU, the mssmartcard-login eku and then w/o an eku instead.  
>>> Would that no allow no change to the API ?
>>
>> I debated this but thought the additional cost of passing through  
>> the cert list multiple times would be a waste.  I've also started  
>> thinking along the lines of generalizing the selection process so  
>> that arbitrary criteria could be set (much like MIT) and it seems  
>> to me that the less special-case code there is in  
>> _krb5_pk_create_sign() the better it will be in pursuing this.
>
> Right, it would be better is there was a selection/acl language i  
> hx509 that could be used. But I've not gone down that road since  
> the need have not been there.
>
> The cert list is in memory, and the lookups can be cached if its  
> shown to be slow.

I expect to need to do pkinit with PIV card certs which contain a the  
Microsoft attributes.  However I will need to ignore those attributes.

I'm not convinced the usage context for the cards is so performance  
sensitive that re-searching the card is unacceptable.  If our use  
case is always the second or third check, then it's nice the cert's  
are cached though.

>> Another option would be to read the config file again for  
>> pkinit_win2k or pkinit_require_eku inside _krb5_pk_create_sign();  
>> that would accomplish the same thing without changing the API.  I  
>> thought about this after I got the patch working so I haven't  
>> tried it yet.  I'm still figuring out the code.
>>
>> A last option would be to pass the current context to  
>> _krb5_pk_create_sign()--a smaller API change but a change  
>> nonetheless--but when I tried this I couldn't get it to work.  I  
>> don't remember what the problem was; most likely just inattention  
>> to detail on my part.
>>
>> Is changing the API of an internal, non-exported function a big  
>> deal?  (I ask for future reference :)
>
> The function is secretly exported to the kdc, and that why  
> chainging into a context function might be good to make it ABI stable.
>
> Love

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Timothy J. Miller" <tmiller@mitre.org>

References:
- [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: =?WINDOWS-1252?Q?Love_H=F6rnquist_=C5strand?= <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: AP REQUEST decrypt using shared secret
Next by Date: Las Vegas Bonus
Prev by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Index(es):
- Date
- Thread