[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Request for new work item - Defining an SRV RR otherName

To: "Stefan Santesson" <stefans@xxxxxxxxxxxxx>
Subject: Re: Request for new work item - Defining an SRV RR otherName
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Fri, 20 May 2005 22:09:47 -0400
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <BF9309599A71984CAC5BAC5ECA629944026B2435@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> (Stefan Santesson's message of "Fri, 20 May 2005 23:44:38 +0100")
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <BF9309599A71984CAC5BAC5ECA629944026B2435@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

>>>>> "Stefan" == Stefan Santesson <stefans@xxxxxxxxxxxxx> writes:

    Stefan> Sam, My recollection of this issue is a bit different from
    Stefan> yours.

    Stefan> The central need here is to enable the KDC to express in a
    Stefan> certificate the fact that it is a KDC in a way that male
    Stefan> sense to clients.


If this is all you want, bind the KDC certificate to the TGS principal
for the realm. That's what Larry's pkinit 26 text does.

The original problem with that solution is that it required CAs to
implement the kerberos OtherName.  However this approach also requires
the CA to implement a new OtherName.

References:
- RE: Request for new work item - Defining an SRV RR otherName
  - From: Stefan Santesson

Prev by Date: RE: Request for new work item - Defining an SRV RR otherName
Next by Date: RE: Request for new work item - Defining an SRV RR otherName
Previous by thread: RE: Request for new work item - Defining an SRV RR otherName
Next by thread: RE: Request for new work item - Defining an SRV RR otherName
Index(es):
- Date
- Thread