[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
From: "Timothy J. Miller" <tmiller@mitre.org>
Date: Tue, 29 Jan 2008 12:43:29 -0600
Cc: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>
In-Reply-To: <0EAE1BB4-FB2B-4D56-A84F-DBCC41ADF43E@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <6455A0C9-FF84-46A3-A05F-DDC6C0500A12@mitre.org> <37AB5B0F-20FB-4B1B-92B0-A1C79AF19643@kth.se> <2BDE73D6-2FBA-4A71-9E3E-A1166B77CB9C@mitre.org> <8978F34A-2F2F-4BC5-8797-8E71E3C5F90E@kth.se> <0EAE1BB4-FB2B-4D56-A84F-DBCC41ADF43E@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, "Timothy J. Miller" <tmiller@mitre.org>

On Jan 28, 2008, at 5:38 PM, Henry B. Hotz wrote:

> I expect to need to do pkinit with PIV card certs which contain a  
> the Microsoft attributes.  However I will need to ignore those  
> attributes.
>
> I'm not convinced the usage context for the cards is so performance  
> sensitive that re-searching the card is unacceptable.  If our use  
> case is always the second or third check, then it's nice the cert's  
> are cached though.

I like to generalize, and while I can't think of a use case where  
someone has multiple tokens simultaneously connected with hundreds of  
certs on each doesn't mean that one doesn't exist.  :)

-- Tim

smime.p7s

References:
- [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: =?WINDOWS-1252?Q?Love_H=F6rnquist_=C5strand?= <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Timothy J. Miller" <tmiller@mitre.org>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: AP REQUEST decrypt using shared secret
Next by Date: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Prev by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Next by thread: Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT
Index(es):
- Date
- Thread