https://k5wiki.test.kerberos.org/wiki?action=history&feed=atom&title=Release_Meeting_Minutes%2F2014-08-19Release Meeting Minutes/2014-08-19 - Revision history2026-05-14T17:25:41ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.test.kerberos.org/wiki?title=Release_Meeting_Minutes/2014-08-19&diff=5378&oldid=prevTomYu: New page: {{minutes|2014}} Will Fiveash, Thomas Hardjono, Ken Hornstein, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Tom Yu ==Kerberos Day== Kerberos Day 9/17 as part of MIT-KIT conference...2014-08-19T20:14:04Z<p>New page: {{minutes|2014}} Will Fiveash, Thomas Hardjono, Ken Hornstein, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Tom Yu ==Kerberos Day== Kerberos Day 9/17 as part of MIT-KIT conference...</p>
<p><b>New page</b></p><div>{{minutes|2014}}<br />
<br />
Will Fiveash, Thomas Hardjono, Ken Hornstein, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Tom Yu<br />
<br />
==Kerberos Day==<br />
Kerberos Day 9/17 as part of MIT-KIT conference. Kerberos ops forum in afternoon.<br />
<br />
==PKINIT==<br />
<br />
Ken describes three main classes of local changes he's made:<br />
<br />
# Specify mapping from cert to principal. Was matching string inside TL-data, now using string attributes.<br />
# OCSP checking<br />
# Setting HW-PREAUTH on some tickets based on cert policy OIDs (e.g. DOD policy OID for smart card or other hardware token)<br />
<br />
Servers can check the HW-PREAUTH flag (via local GSSAPI extensions). Greg mentions that we have talked about split client/server semantics for preauth flags in the KDB. Ken would like a standard interface for applications to look at ticket flags using GSSAPI.<br />
<br />
Ken's KDC principal matching rules are a generalization of existing matching rules in the PKINIT client code.<br />
<br />
;Greg: Deny if OCSP unreachable?<br />
<br />
;Ken: Local OCSP daemon on KDC host, so not a problem in practice. (later) Yes, we deny if OCSP server is unreachable.<br />
<br />
Greg wonders why not a CRL file. Ken says it's better for performance to use an OCSP server, due to size and quantity of CRL files.<br />
<br />
Greg says a sub-plugin for PKINIT cert-to-principal mappings is a possibility. Synchronous OCSP check could be OK if the server is local.<br />
<br />
==Dynamic client principals==<br />
<br />
There is interest in being able to issue tickets based on preauth from an external identity system (e.g. X.509 PKI) without a corresponding client principal name in the database. This can decrease complications with synchronizing multiple identity stores. Greg also suggests self-service bootstrapping of client principal entries in the KDC starting from a X.509 cert and PKINIT to talk to kadmind. We should get more feedback from operators about this idea.<br />
<br />
==krb5-1.13==<br />
<br />
krb5-1.13-alpha1 probably later this week. Final release probably second week of October.</div>TomYu