Skip Menu |
 

Subject: pkinit_identity and pkinit_identities are confusingly similar
pkinit_identity specifies the location of the KDC certificate, while
pkinit_identities specifies the location of possible client certificates.
These names are confusingly similar. We have two options:

1. Create new names (such as pkinit_kdc_cert and pkinit_client_certs),
but fall back to the old names for compatibility.

2. In the documentation (krb5_conf.rst, kdc_conf.rst, and pkinit.rst),
specifically call out the confusing similarity.

Here is an example (not the only example) of someone confusing the two
variable names while trying to set up PKINIT:

http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html
[ghudson - Mon Jun 9 12:03:39 2014]:

Show quoted text
> pkinit_identity specifies the location of the KDC certificate, while
> pkinit_identities specifies the location of possible client certificates.
> These names are confusingly similar. We have two options:
>
> 1. Create new names (such as pkinit_kdc_cert and pkinit_client_certs),
> but fall back to the old names for compatibility.
>
> 2. In the documentation (krb5_conf.rst, kdc_conf.rst, and pkinit.rst),
> specifically call out the confusing similarity.
>
> Here is an example (not the only example) of someone confusing the two
> variable names while trying to set up PKINIT:
>
> http://mailman.mit.edu/pipermail/kerberos/2014-June/019922.html

I think we should do (2) and then (1).
This bug is for the documentation issue; renaming the parameters will be a different bug.