pkinit updates

Douglas E. Engert deengert at
Wed Dec 13 11:15:28 EST 2006

Jim Rees wrote:
> Right now we just use the first cert.  We're going to fix it so that there
> is some sort of intelligent decision.  Olga has some ideas about that.  At
> the very least we need to ignore certs that don't have corresponding private
> keys capable of signing.

The Heimdal code will read all the certs on the card and matching keys, and
look at attributes, and might even look at the issuers.

This is also related to the use of the CKA_ID option I was asking
for yesterday, along with the slot number. But if you can do this in
an intelligent way that would be better, as it would complate pam_krb5
if for some cards the ID=1 and on some cards the ID=3.

> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list