Re: CONSENSUS CALL - #838 - KDC_ERR_CERT_MISMATCH

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: CONSENSUS CALL - #838 - KDC_ERR_CERT_MISMATCH

Jeffrey Hutzelman


On Monday, March 14, 2005 06:16:49 PM -0500 Jeffrey Hutzelman
<[hidden email]> wrote:

> This is ticket #838
>
> The PKINIT spec currently says:
>
>    The KDC MUST return error code KDC_ERR_CERTIFICATE_MISMATCH if the
>    client included a kdcCert field in the PA-PK-AS-REQ and the KDC does
>    not have the corresponding certificate.
>
> Larry proposed dropping this error code, and instead having the KDC
> behave in this case as if the client had not specified a particular KDC
> key; the new behaviour would be REQUIRED.
>
> The new text (as it appears in PKINIT-25):
>
>    If the client included a kdcPkId field in the PA-PK-AS-REQ and the
>    KDC does not possess the corresponding key, the KDC MUST ignore the
>    kdcPkId field as if the client did not include one.
>
>
>
> I have seen notes from Nico and Love supporting this change, and no
> objections.  Speaking as an individual, I have no objection to this.
>
> Speaking as a chair, I'd like to see comments from other members of the
> working group either supporting or opposing this change.


Seeing no further comments, and pursuant to my previous note about
deadlines on consensus calls, I'm calling this one done.

-- Jeff