Skip Menu |
 

Subject: Multiple pkinit_identities semantics are unclear and perhaps not useful
Download (untitled) / with headers
text/plain 1.4KiB
The documentation for pkinit_identities states:

This option may be specified multiple
times. Each value is attempted in order until identity
information is found and authentication is attempted.

This could be interpreted in several ways. In reality, the loop in
pkinit_identity_initialize() tries each value until one of them
successfully parses, regardless of whether the parsed values point to
valid identity information. These don't seem like very useful
semantics, but I can think of one useful scenarios: an ENV: value
will fail to parse if the environment variable isn't defined, so the
first value could specify an override variable and the second value
could specify a default. (A PKCS11: value will also fail to parse if
the library has no PKCS11 support, but that doesn't seem very
useful.)

Other possible semantics for multiple pkinit_identities values
include:

* Try to load all of them into the creds array and then use identity
selection to pick one. This meaning doesn't match the current
documentation but hews closely to what we do for multiple creds
obtained via a single DIR: value.

* Try each value until not just until one of them parses, but until
one of them results in a PKINIT request (as indicated by "and
authentication is attempted" in the documentation).

Both approaches would require substantial code changes and (as far as
I can remember) nobody has really asked for either of them, so
clarifying the documentation may be the best change for now.
From: ghudson@mit.edu
Subject: git commit

Clarify documentation on pkinit_identities

The documentation for pkinit_identities implies that we try harder to
use each value before ignoring the rest, when in fact we only go as
far as the first successful parse. Soften the language and describe
the most likely use case for multiple values under the current
semantics.

https://github.com/krb5/krb5/commit/e095b436d92d9aa30106509b5ccf76719e1668b3
Author: Greg Hudson <ghudson@mit.edu>
Commit: e095b436d92d9aa30106509b5ccf76719e1668b3
Branch: master
doc/admin/conf_files/krb5_conf.rst | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Clarify documentation on pkinit_identities

The documentation for pkinit_identities implies that we try harder to
use each value before ignoring the rest, when in fact we only go as
far as the first successful parse. Soften the language and describe
the most likely use case for multiple values under the current
semantics.

(cherry picked from commit e095b436d92d9aa30106509b5ccf76719e1668b3)

https://github.com/krb5/krb5/commit/456e41f848861217ddf5149b9e52e3ba6d42947c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 456e41f848861217ddf5149b9e52e3ba6d42947c
Branch: krb5-1.16
doc/admin/conf_files/krb5_conf.rst | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)