On Aug 31, 2007, at 7:01 AM, Proycon P. wrote:
> However, i am not intressted in technical
specification, i simply
> want use the package.
RFC4665, Section 3.2.2, "Receipt of Client
Request" says, in part:
"""
In addition to validating the client's signature, the
KDC MUST also
check that the client's public key used to verify the
client's
signature is bound to the client principal name
specified in the AS-
REQ as follows:
1. If the KDC has its own binding between either the
client's
signature-verification public key or the client's
certificate and
the client's Kerberos principal name, it uses that
binding.
2. Otherwise, if the client's X.509 certificate contains
a Subject
Alternative Name (SAN) extension carrying a
KRB5PrincipalName
(defined below) in the otherName field of the type
GeneralName
[RFC3280], it binds the client's X.509 certificate to
that name.
The type of the otherName field is AnotherName. The
type-id
field
of the type AnotherName is id-pkinit-san:
id-pkinit-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) security(5)
kerberosv5(2)
x509SanAN (2) }
And the value field of the type AnotherName is a
KRB5PrincipalName.
KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
}
"""
Also note Appendix C, "Miscellaneous Information about
Microsoft
Windows PKINIT Implementations" which talks about the
differences
between the spec and Windows KDC implementation
requirements.
Like I said, start with the RFC.
-- Tim
_______________________________________________
opensc-user mailing list
opensc-user lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
.