[krbdev.mit.edu #8733] Multiple pkinit_identities semantics are unclear and perhaps not useful

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8733] Multiple pkinit_identities semantics are unclear and perhaps not useful

Greg Hudson via RT-2
The documentation for pkinit_identities states:

    This option may be specified multiple
    times.  Each value is attempted in order until identity
    information is found and authentication is attempted.

This could be interpreted in several ways.  In reality, the loop in
pkinit_identity_initialize() tries each value until one of them
successfully parses, regardless of whether the parsed values point to
valid identity information.  These don't seem like very useful
semantics, but I can think of one useful scenarios: an ENV: value
will fail to parse if the environment variable isn't defined, so the
first value could specify an override variable and the second value
could specify a default.  (A PKCS11: value will also fail to parse if
the library has no PKCS11 support, but that doesn't seem very
useful.)

Other possible semantics for multiple pkinit_identities values
include:

* Try to load all of them into the creds array and then use identity
selection to pick one.  This meaning doesn't match the current
documentation but hews closely to what we do for multiple creds
obtained via a single DIR: value.

* Try each value until not just until one of them parses, but until
one of them results in a PKINIT request (as indicated by "and
authentication is attempted" in the documentation).

Both approaches would require substantial code changes and (as far as
I can remember) nobody has really asked for either of them, so
clarifying the documentation may be the best change for now.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs