Subject: | pkinit_identity and pkinit_identities are confusingly similar |
pkinit_identity specifies the location of the KDC certificate, while
pkinit_identities specifies the location of possible client certificates.
These names are confusingly similar. We have two options:
1. Create new names (such as pkinit_kdc_cert and pkinit_client_certs),
but fall back to the old names for compatibility.
2. In the documentation (krb5_conf.rst, kdc_conf.rst, and pkinit.rst),
specifically call out the confusing similarity.
Here is an example (not the only example) of someone confusing the two
variable names while trying to set up PKINIT:
http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html
pkinit_identities specifies the location of possible client certificates.
These names are confusingly similar. We have two options:
1. Create new names (such as pkinit_kdc_cert and pkinit_client_certs),
but fall back to the old names for compatibility.
2. In the documentation (krb5_conf.rst, kdc_conf.rst, and pkinit.rst),
specifically call out the confusing similarity.
Here is an example (not the only example) of someone confusing the two
variable names while trying to set up PKINIT:
http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html