I may be asking a question which exposes either my ignorance or lack of imagination, but is there a reason a kx509 (RFC6717/RFC4556) certificate wouldn't work? Wouldn't it be easier to add support for these previously defined extensions?
As I understand it, the main difference between kx509 certificates and your proposal is that in your proposal a shared secret exists between the KDC and the recipient of the certificate; whereas a server accepting kx509 certificates would just be configured to trust the user's kx509 sign-er. Both use principal names defined by the KDC as a back end identity store. Thanks, Bryce -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Rick van Rein Sent: Saturday, October 31, 2015 4:25 AM To: kerberos@mit.edu Subject: Packing Kerberos Tickets into X.509 certificates Hello, Attached is an X.509 certificate holding a Kerberos Ticket as public key info and an Authenticator with the checksum SHA1(TBSCertificate) as a certificate self-signature. A demo that generates such self-signed certificates from within a MIT krb5 environment is on https://github.com/arpa2/kerberos2pkix This is somewhat wild, but it does not appear to conflict X.509, which is very general and uses OIDs to indicate the form of public key info and certificate signature. The new thing is that it doesn't use public key crypto but an infrastructure that makes similar things possible with public Tickets encapsulating symmetric keys, so it will be limited to session with a known X.509 recipient. I am interested in responses, including those that explain feelings of why this is "right" or "wrong". I found this in trying to get Kerberos integrated into TLS as naturally as possible. This approach is the most natural option I found, roughly requiring a new "Kerberos" signing algorithm for TLS, and adding TLS' hash algorithms to the list of checksum types for Kerberos' Authenticators. If you see other potential applications for X.509 certificates with Kerberos contents, I'd be interested in hearing those too. Cheers, -Rick ----- Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: 1.3.6.1.4.1.44469.666.509.88.1.1.2.1.3.14.3.2.26 Issuer: Validity Not Before: Oct 16 12:42:11 2015 GMT Not After : Oct 16 12:47:11 2015 GMT Subject: Subject Public Key Info: Public Key Algorithm: 1.3.6.1.4.1.44469.666.509.88.1.1.1 [OpenSSL was not updated to interpret this new OID - Rick] Unable to load Public Key 140277261715112:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239: 140277261715112:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155: Signature Algorithm: 1.3.6.1.4.1.44469.666.509.88.1.1.2.1.3.14.3.2.26 [OpenSSL can dump the generic BITSRTING for this new OID blindly - Rick] 30:81:8b:a0:03:02:01:12:a2:81:83:04:81:80:ae:ab:e4:69: 87:51:25:ac:1b:6a:13:99:c1:23:60:08:b7:8a:de:7b:c3:b1: b7:4e:0d:b4:33:83:9c:b7:cf:66:0b:cc:ab:90:b6:96:1a:2e: 81:7f:ac:c8:60:32:80:6c:ba:8b:57:dc:31:f8:5d:c6:bf:82: 65:c0:9a:29:2e:9d:27:7d:eb:e5:9c:01:80:63:0f:6e:89:6d: 47:d3:05:c6:05:56:d1:ad:1b:0e:89:12:e2:02:7a:ca:a5:1d: c4:4f:04:7f:39:1e:63:f3:ee:69:5b:ee:fd:8b:c4:45:0b:5c: 3b:47:c8:96:78:39:b5:45:3d:45:de:c8:e9:de:26:6f -----BEGIN CERTIFICATE----- MIICZzCCAbegAwIBAgIBADAYBhYrBgEEAYLbNYUag31YAQECAQMOAwIaMAAwIhgP MjAxNTEwMTYxMjQyMTFaGA8yMDE1MTAxNjEyNDcxMVowADCCAWkwEgYQKwYBBAGC 2zWFGoN9WAEBAQOCAVEAYYIBTDCCAUigAwIBBaELGwlBUlBBMi5ORVSiITAfoAMC AQGhGDAWGwR4bXBwGw54bXBwLmFycGEyLm5ldKOCAQ8wggELoAMCARKhAwIBA6KB /gSB+yNg3rifFZ9R1pWKwQJ7hd2tjXOYoWLHhSa7o9lF9M4F/vbvJDS19TeYZamR 5XiqBQLxU1UpcWAJan+vqwFoo+iEhJfbIXxgpeJNSpeNQ8wE+4iIh3c+cHzDdZ0J Avyq134LnQvJaZlvVhnHagJLrivtMlKL5lzvlSfeKDmKAI4HfXuBz98K6du7DwoK WUjvxQnhEHPwRQHCzdaRS8bGsMA8jJ68g/7zqyz+mRSBqpI3R1BbC/xijMHLhfE3 22vgfNfrcUyVhi0yi+xh1nU6pfP1HHHbF4t1X3ineKUMG1/CJiESCCcRh8v8LjFz KGSVGaHx4nUUXpNEJD2GMBgGFisGAQQBgts1hRqDfVgBAQIBAw4DAhoDgY8AMIGL oAMCARKigYMEgYCuq+Rph1ElrBtqE5nBI2AIt4ree8Oxt04NtDODnLfPZgvMq5C2 lhougX+syGAygGy6i1fcMfhdxr+CZcCaKS6dJ33r5ZwBgGMPboltR9MFxgVW0a0b DokS4gJ6yqUdxE8EfzkeY/PuaVvu/YvERQtcO0fIlng5tUU9Rd7I6d4mbw== -----END CERTIFICATE----- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
