1draft comments: 2 3- tag for nameNotInCert (GeneralName is a choice) 4 5- TargetName.exportedTargName have spelling error on OCTET STRING 6 7- padata number is wrong (page 13) 8 9still missing: 10 11- storing credentials so we can skip pku2u 12- mapping server names into kerberos name 13- setting target asserted name 14- Make target name have a real meaning 15- Implemement GSS_C_NT_DN 16- Verify ad-pku2u-client-name in acceptor 17 18How to try: 19 20- sudo dscl . append /Users/lha RecordName 'description=MobileMe Sharing Certificate,CN=bitcollector,OU=me.com,O=Apple Inc.,C=US' 21 22- sudo chmod 644 /etc/krb5.keytab 23 24- /usr/local/libexec/heimdal/bin/test_context --mech-type=PKU2U --mutual-auth --wrap service@host 25 26 27 28sudo dscl . append /Users/lha RecordName 55D20C14EE9EB4C41962801D1AD88AD7ACF34D72 29sudo dscl . append /Users/lha dsAttrTypeStandard:AltSecurityIdentities 'X509:<T>CN=Apple Root Certificate Authority,OU=Apple Computer Certificate Authority,O=Apple Computer\, Inc.,C=US<S>description=MobileMe Sharing Certificate,CN=bitcollector,OU=me.com,O=Apple Inc.,C=US' 30