[kerberos-discuss] Kerberos PKINIT [PSARC/2008/631 FastTrack timeout 10/17/2008]
Nicolas Williams
Nicolas.Williams at sun.com
Mon Oct 20 08:47:47 PDT 2008
On Wed, Oct 15, 2008 at 03:48:21PM +0200, Mark Phalan wrote:
> > Does OpenSolaris have any latitude in changing the attributes or do they
> > need to be kept verbatim as
> > they come from MIT code drops?
>
> We have latitude but generally we like to remain as compatible with
> upstream as possible.
Right. Differing from MIT -> more merge/sync work down the line (and/or
more work to do to get Solaris' differences integrated into MIT krb5).
> > If we do, then the choice of boolean flag_RSA_PROTOCOL[=yes] excluded other
> > key exchange algorithms, such as ECC.
>
> As PKINIT (RFC 4556) doesn't support ECC key exchange I don't see an
> immediate need for this and is not worth (in my opinion) breaking MIT
> compatibility for it now. I should note that this config file option is
> "Volatile".
FYI, RFC5349 adds ECDH support for PKINIT.
Note though that flag_RSA_PROTOCOL does not preclude any ECC
enhancements. It merely enables one key exchange method (RSA key
transport) for PKINIT.
One supposes that that means that we can expect more boolean
flag_<key_exch_method>_PROTOCOL parameters.
The "flag_" prefix is annoying (read: redundant), but I'll live.
IOW, this parameter is not a problem.
Nico
--
More information about the opensolaris-arc
mailing list