-
Story
-
Resolution: Unresolved
-
Major
-
rhel-9.1.0
-
None
-
rhel-sst-idm-ipa
-
ssg_idm
-
None
-
False
-
-
Yes
-
None
-
None
-
None
-
Known Issue
-
-
Done
-
-
Unspecified
-
None
MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:
- md5WithRSAEncryption (since Windows Server 2003)
- sha1WithRSAEncryption (newer than Windows Server 2003)
- ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)
Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.
[1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
[2] https://www.rfc-editor.org/rfc/rfc5349.html
- is blocked by
-
RHEL-4875 [RFE] Infer PKINIT CMS data digest from supportedCMSTypes
- Planning
- external trackers
(1 external trackers)