Douglas E. Engert
deengert at anl.gov
Wed Dec 13 11:15:28 EST 2006
Jim Rees wrote:
> Right now we just use the first cert. We're going to fix it so that there
> is some sort of intelligent decision. Olga has some ideas about that. At
> the very least we need to ignore certs that don't have corresponding private
> keys capable of signing.
The Heimdal code will read all the certs on the card and matching keys, and
look at attributes, and might even look at the issuers.
This is also related to the use of the CKA_ID option I was asking
for yesterday, along with the slot number. But if you can do this in
an intelligent way that would be better, as it would complate pam_krb5
if for some cards the ID=1 and on some cards the ID=3.
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev