[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Shishi and certificates
|
From: |
Simon Josefsson |
|
Subject: |
Re: Shishi and certificates |
|
Date: |
Thu, 30 Nov 2006 13:17:45 +0100 |
|
User-agent: |
Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.91 (gnu/linux) |
Alberto Fondi <address@hidden> writes:
> Hi,
>
> we have proved shishi in our organization and, even if it is in
> development, it seems to be a very good program. In particular my
> chief very like the features about authentication codified with
> certificates. However we want to ask if it could be possibile and if
> it is in program an authentication directly through certificates,
> where the user autenticates himself without providing a password, but
> using only his certificate.
Hi Alberto! That is currently not possible, but what you describe is
exactly what the goal here is. It should be possible to use X.509
client certificates or OpenPGP keys to get a Kerberos ticket. I hope
to be able to work on this in the winter. It is not much work
required to make this work, I expect a few weeks of development work
for me including documentation and testing etc.
Essentially what is missing is that the user database Shisa map a
X.509 certificates or OpenPGP keys to a Kerberos principal, and that
shishid use that information and send the AP-REP using NULL encryption
in the TLS authenticated channel.
Btw, let me know if you run into any problem or feel the documentation
is unclear somehow. You are one of the earliest users, so all
feedback is very valuable.
/Simon