Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for RFC 5349 "Elliptic Curve PKINIT" #105

SteveSyfuhs opened this issue Nov 29, 2019 · 0 comments

Add support for RFC 5349 "Elliptic Curve PKINIT" #105

SteveSyfuhs opened this issue Nov 29, 2019 · 0 comments


Copy link

@SteveSyfuhs SteveSyfuhs commented Nov 29, 2019

Is your feature request related to a problem? Please describe.
The base PKINIT spec supports straight Diffie Hellman using MODP 2 or 14 parameters. This is inefficient and leads to potential interop problems. ECC support was spec'ed shortly after PKINIT and introduces ECDH for key exchange and certificate signatures. This will have better performance implications as well as better cross-platform support as ECDH is supported in .NET Core.

Describe the solution you'd like
Introduce logic into AsymmetricKerberosCredential that detects if the client certificate is EC, and force everything into using EC.

Add a new property to the credential that indicates the key exchange should prefer ECDH over DH (should it be default?).

Additional context

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.