<div dir="ltr"><span id="gmail-docs-internal-guid-cbc901f7-7fff-b187-8eb1-1ee3a9511362"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi Weijun and Sean,</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">We are a small group of engineers at Uber working in the Kerberos space (</span><a href="https://www.uber.com/blog/scaling-adoption-of-kerberos-at-uber/" style="text-decoration-line:none"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">blog</span></a><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">). PKINIT (</span><a href="https://datatracker.ietf.org/doc/html/rfc4556" style="text-decoration-line:none"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">RFC 4556</span></a><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">) was proposed in 2006 and has been part of MIT Kerberos (</span><a href="https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html" style="text-decoration-line:none"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">doc</span></a><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">), but it is not yet supported natively in JDK. We’d like to add PKINIT support to Krb5LoginModule and are writing to socialize the change and request sponsorship.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Many of Uber’s critical services rely on keytabs (long‑lived secrets) to authenticate with Kerberos. Highly privileged keytabs are distributed across thousands of nodes, which makes them difficult to rotate (</span><a href="https://www.uber.com/blog/automating-kerberos-keytab-rotation-at-uber/" style="text-decoration-line:none"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">blog</span></a><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">) without disruption and carries major risks if leaked. Uber’s internal strategy involves replacing these keytabs with short-lived X.509 client certificates via PKINIT - easier to rotate and aligns better with modern PKI infrastructure. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">We implemented PKINIT in our internal fork of Krb5LoginModule and have been running it in production since July 2025. The main changes includes:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Constructing and parsing PKINIT‑specific PA‑DATA (PA‑PK‑AS‑REQ / PA‑PK‑AS‑REP) per the RFC, and</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" role="presentation"><span style="font-size:11pt;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Adding JAAS config options to enable PKINIT in Krb5LoginModule.</span></p></li></ul><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">First‑class PKINIT support in the JDK would provide the Java community with an alternative to Kerberos keytabs. Developers can choose the right Kerberos authentication approach that suits their environment: keep keytabs where they work well, or opt into short‑lived, easy to rotate certificates via PKINIT. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">We have not made contributions to JDK in the past. If you are supportive, could one of you serve as </span><a href="https://openjdk.org/guide/#find-a-sponsor" style="text-decoration-line:none"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">Sponsor</span></a><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> and guide us through the contribution process?</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Thank you for your time and consideration.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Best regards,</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Proxima Nova",sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Junyan</span></p></span></div>