On 4/27/22 19:03, Viktor Dukhovni wrote:
On 27 Apr 2022, at 12:45 pm, Michael Ströder <mich...@stroeder.com> wrote:
But my concern is rather that I would not connect my KDC to the
Internet (for now leaving aside approaches like proxy KCM). >>
In general I'm leaning more towards using asymmetric keys for
authc. On my personal to-do list is to implement a simple X.509-CA
for issuing short-term client certs, with a CLI tool to directly
manipulate Thunderbird and Firefox key/cert DB. >
FWIW, both Heimdal and MIT KDCs support "pkinit",
Yes, all this but...
That said, there is not yet support for "raw public key" AS requests, where the
KDC stores the user's public key, rather than either a symmetric key or a
trusted
issuer CA.
...the above will probably never happen.
Or put it the other way: Today this is rather covered by JWT/OAuth2 or
similar which are also more proxy-friendly than e.g. TLS with client
certs. Not sure about the smooth integration in MUAs though.
SASL-XOAUTH2 does not seem to be widely implemented (puh, stay a bit
on-topic.. ;-)
Either way a compromised CA or a compromise KDC is bad news...
Yes!
And one of my biggest concerns are bad operational practices. That's why
admins should not have to manually deal with crypto key files like
service keytabs or TLS server keys.
Ciao, Michael.
