Hi Weijun and Sean,

We are a small group of engineers at Uber working in the Kerberos space (
blog <https://www.uber.com/blog/scaling-adoption-of-kerberos-at-uber/>).
PKINIT (RFC 4556 <https://datatracker.ietf.org/doc/html/rfc4556>) was
proposed in 2006 and has been part of MIT Kerberos (doc
<https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html>), but it is
not yet supported natively in JDK. We’d like to add PKINIT support to
Krb5LoginModule and are writing to socialize the change and request
sponsorship.

Many of Uber’s critical services rely on keytabs (long‑lived secrets) to
authenticate with Kerberos. Highly privileged keytabs are distributed
across thousands of nodes, which makes them difficult to rotate (blog
<https://www.uber.com/blog/automating-kerberos-keytab-rotation-at-uber/>)
without disruption and carries major risks if leaked. Uber’s internal
strategy involves replacing these keytabs with short-lived X.509 client
certificates via PKINIT - easier to rotate and aligns better with modern
PKI infrastructure.

We implemented PKINIT in our internal fork of Krb5LoginModule and have been
running it in production since July 2025. The main changes includes:

   -

   Constructing and parsing PKINIT‑specific PA‑DATA (PA‑PK‑AS‑REQ /
   PA‑PK‑AS‑REP) per the RFC, and
   -

   Adding JAAS config options to enable PKINIT in Krb5LoginModule.


First‑class PKINIT support in the JDK would provide the Java community with
an alternative to Kerberos keytabs. Developers can choose the right
Kerberos authentication approach that suits their environment: keep keytabs
where they work well, or opt into short‑lived, easy to rotate certificates
via PKINIT.

We have not made contributions to JDK in the past. If you are supportive,
could one of you serve as Sponsor
<https://openjdk.org/guide/#find-a-sponsor> and guide us through the
contribution process?

Thank you for your time and consideration.

Best regards,

Junyan

Reply via email to