Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
PKCA assumes the following, in addition to any assumptions specified in [MS-KILE]:
The key distribution center (KDC) has an X.509 public key certificate [X509], issued by a certificate authority (CA) and trusted by the clients in the Kerberos realm. For ECC support, the KDC has an ECC public key certificate issued by a CA and trusted by clients in the Kerberos realm. The issuing of these [X509] certificates is not addressed in this protocol specification.
A cryptographic-strength random-number generator is available for generating keys and other cryptographically sensitive information.<1>
Each user has an [X509] certificate suitable for use with PKINIT. Details about such a certificate are specified in [RFC4556] Appendix C.
Details about general Kerberos assumptions are specified in [RFC4120] section 1.6.