On Monday, March 14, 2005 06:16:49 PM -0500 Jeffrey Hutzelman
<[hidden email]> wrote:
> This is ticket #838
> The PKINIT spec currently says:
> The KDC MUST return error code KDC_ERR_CERTIFICATE_MISMATCH if the
> client included a kdcCert field in the PA-PK-AS-REQ and the KDC does
> not have the corresponding certificate.
> Larry proposed dropping this error code, and instead having the KDC
> behave in this case as if the client had not specified a particular KDC
> key; the new behaviour would be REQUIRED.
> The new text (as it appears in PKINIT-25):
> If the client included a kdcPkId field in the PA-PK-AS-REQ and the
> KDC does not possess the corresponding key, the KDC MUST ignore the
> kdcPkId field as if the client did not include one.
> I have seen notes from Nico and Love supporting this change, and no
> objections. Speaking as an individual, I have no objection to this.
> Speaking as a chair, I'd like to see comments from other members of the
> working group either supporting or opposing this change.
Seeing no further comments, and pursuant to my previous note about
deadlines on consensus calls, I'm calling this one done.