Re: [Fed-Talk] PKINIT and Kerberos
Re: [Fed-Talk] PKINIT and Kerberos
- Subject: Re: [Fed-Talk] PKINIT and Kerberos
- From: "Timothy J. Miller" <email@hidden>
- Date: Tue, 15 Nov 2005 12:20:41 -0600
Nebergall, Christopher wrote:
As the PKINIT draft is nearing become a standard
_http://tools.ietf.org/wg/krb-wg/draft-ietf-cat-kerberos-pk-init/draft-ietf-cat-kerberos-pk-init-29.txt_
I had some questions on Apple's support of the standard.
1. Does apple currently have any support for PKINIT?
Wouldn't that be nice? (Hey Shawn, look, I'm not the only one pounding
this nail!)
2. Is any support planned?
I just had this conversation last week, and Apple doesn't comment on
future release plans. Much to my annoyance. ;)
3. If Macs do/start to support PKINIT will support of the protocol be
rolled back into normal MIT Kerberos sources?
Part of the problem here is one of interoperability. Microsoft is the
only company using PKINIT, and MS is built on draft *9*. There are,
shall we say, *lots* of changes between draft 9 and draft 29, not the
least of which is MS is using *completely different PA_PK_AS_REQ/REP
type values*.
IIRC the MIT Kerberos team is on record as saying they're not going to
accept changes based on draft 9, and without interoperability the whole
thing is moot. MS can step up to the plate here, but it shouldn't
surpise anyone to know that they have expressed a distinct lack of interest.
Without support for Kerberos, Smart Cards on Macs are largely not useful
to my site to do anything but access the box itself. If any one has
had any luck or ideas on how to use smart cards on a Mac to access a
wide variety of resources external to the box itself (i.e. Network file
systems, SSH, web pages) I'd appreciate some tips.
This is of critical concern to DoD as well. We have communicated this
to Apple, and anxiously await results. ;)
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden