Kerberos PKINIT [PSARC/2008/631 FastTrack timeout 10/17/2008]
Kais Belgaied
Kais.Belgaied at sun.com
Mon Oct 13 18:11:32 PDT 2008
>
> * New kinit(1) options:
>
> -X attribute[=value]
> specify a pre-authentication attribute and value to be
> passed to pre-authentication plugins. The acceptable
> attribute and value values vary from pre-authentication
> plugin to plugin. This option may be specified multi-
> ple times to specify multiple attributes. If no value
> is specified, it is assumed to be "yes".
>
> The following attributes are recognized by the OpenSSL pkinit
> pre-authentication mechanism:
> X509_user_identity=URI
> Specify where to find user's X509 identity information.
>
> Valid URI types are FILE, DIR, PKCS11, PKCS12, and ENV.
> See PKINIT URI Types section for more details.
>
> X509_anchors=URI
> Specify where to find trusted X509 anchor information.
>
> Valid URI types are FILE and DIR.
> See PKINIT URI Types section for more details.
>
> flag_RSA_PROTOCOL[=yes]
> Specify use of RSA, rather than the default
> Diffie-Hellman protocol.
>
Does OpenSolaris have any latitude in changing the attributes or do they
need to be kept verbatim as
they come from MIT code drops?
If we do, then the choice of boolean flag_RSA_PROTOCOL[=yes] excluded other
key exchange algorithms, such as ECC.
Kais
More information about the opensolaris-arc
mailing list