On Thu, Apr 02, 2026 at 07:06:37PM -0700, Russ Allbery wrote: > [...]. (Although also I'm not sure I understand the security > model of using a PKINIT cert on disk and not a keytab.)
IMO it's strictly better. Though you can still have a keytab as an optimization. As Geoff explained in his reply, the idea is that the KDC can synthesize a KDB entry for any principal that doesn't exist in the KDB but for which a client certificate is presented (with a PKINIT SAN, issued by a CA trusted for that and the realm in question) and issue a ticket. If you want to revoke such a thing you just create a KDB entry for the given name and mark it locked. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
