Hi Weijun and Sean, We are a small group of engineers at Uber working in the Kerberos space ( blog <https://www.uber.com/blog/scaling-adoption-of-kerberos-at-uber/>). PKINIT (RFC 4556 <https://datatracker.ietf.org/doc/html/rfc4556>) was proposed in 2006 and has been part of MIT Kerberos (doc <https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html>), but it is not yet supported natively in JDK. We’d like to add PKINIT support to Krb5LoginModule and are writing to socialize the change and request sponsorship.
Many of Uber’s critical services rely on keytabs (long‑lived secrets) to authenticate with Kerberos. Highly privileged keytabs are distributed across thousands of nodes, which makes them difficult to rotate (blog <https://www.uber.com/blog/automating-kerberos-keytab-rotation-at-uber/>) without disruption and carries major risks if leaked. Uber’s internal strategy involves replacing these keytabs with short-lived X.509 client certificates via PKINIT - easier to rotate and aligns better with modern PKI infrastructure. We implemented PKINIT in our internal fork of Krb5LoginModule and have been running it in production since July 2025. The main changes includes: - Constructing and parsing PKINIT‑specific PA‑DATA (PA‑PK‑AS‑REQ / PA‑PK‑AS‑REP) per the RFC, and - Adding JAAS config options to enable PKINIT in Krb5LoginModule. First‑class PKINIT support in the JDK would provide the Java community with an alternative to Kerberos keytabs. Developers can choose the right Kerberos authentication approach that suits their environment: keep keytabs where they work well, or opt into short‑lived, easy to rotate certificates via PKINIT. We have not made contributions to JDK in the past. If you are supportive, could one of you serve as Sponsor <https://openjdk.org/guide/#find-a-sponsor> and guide us through the contribution process? Thank you for your time and consideration. Best regards, Junyan