Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4902

[RFE] PKINIT: support elliptic curve cryptography [rhel-9]

XMLWordPrintable

    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Known Issue
    • Hide
      .MIT Kerberos does not support ECC certificates for PKINIT

      MIT Kerberos does not implement the RFC5349 request for comments document, which describes the design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial authentication (PKINIT). Consequently, the MIT `krb5-pkinit` package, used by RHEL, does not support ECC certificates. For more information, see link:https://www.rfc-editor.org/rfc/rfc5349.html[Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)].
      Show
      .MIT Kerberos does not support ECC certificates for PKINIT MIT Kerberos does not implement the RFC5349 request for comments document, which describes the design of elliptic-curve cryptography (ECC) support in Public Key Cryptography for initial authentication (PKINIT). Consequently, the MIT `krb5-pkinit` package, used by RHEL, does not support ECC certificates. For more information, see link: https://www.rfc-editor.org/rfc/rfc5349.html [Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)].
    • Done
    • None

      MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:

      • md5WithRSAEncryption (since Windows Server 2003)
      • sha1WithRSAEncryption (newer than Windows Server 2003)
      • ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)

      Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.

      [1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
      [2] https://www.rfc-editor.org/rfc/rfc5349.html

              jrische@redhat.com Julien Rische
              jrische@redhat.com Julien Rische
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Michal Stubna Michal Stubna
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: