pkinit updates

Jim Rees rees at
Wed Dec 13 17:05:04 EST 2006

I just don't see the token label being very useful.  Doug gave several good
reasons.  Maybe you can give an example.

We won't be doing interaction.  But maybe someone will.

Doug brought up the point that our code currently asks for the PIN before
reading the certs.  In fact, it only does this if the token info says that
login is required.  But I wasn't sure we were doing the right thing.  I can
change the code so that it first tries to read the certs, and only prompts
for the PIN if needed.  Does anyone think that would be useful?

  But what's the principal?

It's the one the user gave on the kinit command line, and passed down
through init_creds.  Or PAM equivalent.  Are you suggesting we should try to
guess the principal and realm when it hasn't been specified?  How?

  Also, if there would be options like slotid then perhaps an option to
  match cert/key by Name/SAN would be good (kinit -X dn=...; kinit -X
  san=rfc822Name:...; kinit -X issuer=...).  But now I'm probably asking
  for the Moon ;)

Not at all.  I'd like to see options to pick the cert based on pretty much
anything that might appear in the cert.  I don't know if we'll get that

  If the OS ships with a PKCS#11 implementation, then use that as the
  default.  (Solaris 10+, for example, has /usr/lib/

How would I do that?  A configure option?  Seems like an ok idea but not at
the top of my list.

More information about the krbdev mailing list