On Tue, Mar 02, 2021 at 05:09:06PM -0800, Michael Thomas wrote: > > > > > Is anybody using PKINIT? > > > > Yes. > > > Where? In any volume? > > Corporate networks. The only place where Kerberos is used. > > Really? What is the use case? I'm under the impression that Kerberos has > mostly been relegated to Active Directory and that's about it. I like > Kerberos, fwiw. Use cases: - smartcards - anonymous Kerberos (requires PKINIT) - batch jobs You can have a trust anchor where a CA issues certificates with a Kerberos SAN and the PKINIT EKU and then that can be used to get tickets on behalf of that user for their batch jobs. I don't like Kerberos, not Kerberos V, but I do like Needham-Schroeder, and I suspect we may want to sprinkle a bit of Needham-Schroeder onto a post-quantum future as an optimization for PQ crypto. Nico --
