diff --git a/krb5-pkinit-debug.patch b/krb5-pkinit-debug.patch
new file mode 100644
index 0000000..201c45d
--- /dev/null
+++ b/krb5-pkinit-debug.patch
@@ -0,0 +1,99 @@
+This is a cheap, non-very-portable way to make debugging a run-time option.
+
+diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
+index 6598482..85e1c0d 100644
+--- a/src/plugins/preauth/pkinit/pkinit.h
++++ b/src/plugins/preauth/pkinit/pkinit.h
+@@ -34,6 +34,7 @@
+ #include <krb5/krb5.h>
+ #include <krb5/preauth_plugin.h>
+ #include <k5-int-pkinit.h>
++#include <autoconf.h>
+ #include <profile.h>
+ #include "pkinit_accessor.h"
+ 
+@@ -96,12 +97,15 @@ extern int longhorn;	    /* XXX Talking to a Longhorn server? */
+ #define pkiDebug	printf
+ #else
+ /* Still evaluates for side effects.  */
+-static inline void pkiDebug (const char *fmt, ...) { }
++/* static inline void pkiDebug (const char *fmt, ...) { } */
++#define pkiDebug	if (pkinit_debug_is_enabled()) printf
+ /* This is better if the compiler doesn't inline variadic functions
+    well, but gcc will warn about "left-hand operand of comma
+    expression has no effect".  Still evaluates for side effects.  */
+ /* #define pkiDebug	(void) */
+ #endif
++extern void pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc);
++extern int pkinit_debug_is_enabled(void);
+ 
+ /* Solaris compiler doesn't grok __FUNCTION__
+  * hack for now.  Fix all the uses eventually. */
+diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
+index 6888c1b..bb39fce 100644
+--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
++++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
+@@ -1002,6 +1002,8 @@ pkinit_client_process(krb5_context context,
+     pkinit_req_context reqctx = (pkinit_req_context)request_context;
+     krb5_keyblock *armor_key = NULL;
+ 
++    pkinit_debug_init(context, &(request->server->realm), 0);
++
+     pkiDebug("pkinit_client_process %p %p %p %p\n",
+              context, plgctx, reqctx, request);
+ 
+diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c
+index a6d7762..2b59fd0 100644
+--- a/src/plugins/preauth/pkinit/pkinit_lib.c
++++ b/src/plugins/preauth/pkinit/pkinit_lib.c
+@@ -452,3 +452,28 @@ print_buffer_bin(unsigned char *buf, unsigned int len, char *filename)
+ 
+     fclose(f);
+ }
++
++/* This is a cheat to avoid having to rewrite every caller of pkiDebug() to pass
++   in a context structure, which is where this flag would be better placed. */
++static __thread int pkinit_debug_enabled = 0;
++
++void
++pkinit_debug_init(krb5_context context, krb5_data *realm, int kdc)
++{
++	pkinit_debug_enabled = -1;
++	if (kdc) {
++		pkinit_kdcdefault_boolean(context, realm, "pkinit_debug",
++					  -1, &pkinit_debug_enabled);
++	}
++	if (pkinit_debug_enabled == -1) {
++		pkinit_libdefault_boolean(context, realm, "pkinit_debug",
++					  0, &pkinit_debug_enabled);
++	}
++	printf("pkinit_debug: %d\n", pkinit_debug_enabled);
++}
++
++int
++pkinit_debug_is_enabled(void)
++{
++	return (pkinit_debug_enabled == 1);
++}
+diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
+index 5a7a5ad..d7a0a44 100644
+--- a/src/plugins/preauth/pkinit/pkinit_srv.c
++++ b/src/plugins/preauth/pkinit/pkinit_srv.c
+@@ -108,6 +108,8 @@ pkinit_server_get_edata(krb5_context context,
+     pkinit_kdc_context plgctx = NULL;
+     krb5_keyblock *armor_key = NULL;
+ 
++    pkinit_debug_init(context, &(request->server->realm), 1);
++
+     pkiDebug("pkinit_server_get_edata: entered!\n");
+ 
+     /* Remove (along with armor_key) when FAST PKINIT is settled. */
+@@ -315,6 +317,8 @@ pkinit_server_verify_padata(krb5_context context,
+     int is_signed = 1;
+     krb5_keyblock *armor_key;
+ 
++    pkinit_debug_init(context, &(request->server->realm), 1);
++
+     pkiDebug("pkinit_verify_padata: entered!\n");
+     if (data == NULL || data->length <= 0 || data->contents == NULL)
+         return 0;
diff --git a/krb5.spec b/krb5.spec
index dab3998..df2beaa 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -51,6 +51,7 @@ Patch71: krb5-1.9-dirsrv-accountlock.patch
 Patch72: krb5-pkinit-cms2.patch
 Patch73: http://web.mit.edu/kerberos/advisories/2011-001-patch.txt
 Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
+Patch75: krb5-pkinit-debug.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -193,6 +194,7 @@ ln -s NOTICE LICENSE
 %patch72 -p1 -b .pkinit_cms2
 %patch73 -p1 -b .2011-001
 %patch74 -p1 -b .2011-002
+#%patch75 -p1 -b .pkinit-debug
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -651,6 +653,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu Feb 17 2011 Nalin Dahyabhai <nalin@redhat.com>
+- throw in a not-applied-by-default patch to try to make pkinit debugging
+  into a run-time boolean option named "pkinit_debug"
+
 * Wed Feb 16 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9-6
 - turn on NSS as the backend for libk5crypto, adding nss-devel as a build
   dependency when that switch is flipped