pkinit updates

Douglas E. Engert deengert at
Wed Dec 13 18:17:28 EST 2006

Nicolas Williams wrote:

> On Wed, Dec 13, 2006 at 03:50:02PM -0600, Douglas E. Engert wrote:
>>PKCS#11 says: " CK_TOKEN_INFO
>>                CK_CHAR label[32];
>>               label - application-defined label, asigned during token
>>                       initialization"
>>The way I read this, is the label, if any, is assigned when the smartcard
>>is initialized by the card issuer. The label may or may not be different
>>on each card and for security reasons may even be null.  The label is a
>>PKCS#11 thing, and a card may or may not have any information that might
>>correspond to something that could be called a label. So I don't think there
>>is any chance of expecting a labelling convention. Even so the convention
>>is under control of the card issuer that may not be in the same 
> Whereas the way I read it is that CITI/MIT's PKINIT implementation is an
> "application" that is free to define labels.

Even if I agreed with you, you application  has to associate the label with
the card, and it can not write in the card, so it has to store the
maping somewhere else, or derive the label from the cert.

>>Looking at other applicaitons, like FireFox or Windows CSP that have to deal
>>with smartcards, they all do somting like registering the certificates that
>>they have seen, rather then labels. So in my option the best pkinit
>>could do is default to using the card found in the reader.
> But those apps have the luxury of being able to remember things across
> sessions.  A PAM PKINIT module would not have this luxury (user Bob ->
> slotid 1, user Alice, slotid 2).

The Microsoft CSP for login is similiar, that in effect read the ATR of
the card, figures out which CSP to call used the CSPs to read the cert
from the card, put it in a temporary store, then go on. Sort of on the fly
registration.  (The OpenSC SCB can run on Windows and can work with the
Identity Alliance's IdAlly that is a CSP and can be used for login.) (FYI OpenSC
has a Mac SCA with a tokend that works with FireFox and Safari)

>>>There are too many non-obvious cases, and interacting with the user
>>>(through the krb5_get_init_creds() prompter or PAM conversation) seems
>>>much better to me than just failing.
>>Yes good idea, if you can give the user a choice using data from his
>>This does bring up a point. Most (all?) cards allow the certs to be read
>>without providing the pin. The UMich pkinit code is asking for the PIN then
>>reading the certs. (The main difference between NIST 800-73 and 800-73-1
>>hinged on this point, as most other application like Windows CSP depend on
>>reading the cert before asking for the pin.)
>>If you are trying to select among certs on multiple cards in readers
>>on the same machine, you dont wan't to have to ask for the PINs just to
>>find out the cert on the card is not useable.
> Good point.  Read the certs first, then login after a selection has been
> made.
>>>If the OS ships with a PKCS#11 implementation, then use that as the
>>>default.  (Solaris 10+, for example, has /usr/lib/

(more on the WOW comment in the next note, as it is starting to get off thread.)


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list