pkinit updates

Douglas E. Engert deengert at
Wed Dec 13 19:03:12 EST 2006

Nicolas Williams wrote:

> On Wed, Dec 13, 2006 at 05:17:28PM -0600, Douglas E. Engert wrote:
>>Nicolas Williams wrote:
>>>Whereas the way I read it is that CITI/MIT's PKINIT implementation is an
>>>"application" that is free to define labels.
>>Even if I agreed with you, you application  has to associate the label with
>>the card, and it can not write in the card, so it has to store the
>>maping somewhere else, or derive the label from the cert.
> Huh?  C_InitToken() is the administrative function to be used when
> creating the credential to set the token label.

OK, But if smartcards are assigned to us by DOE as part of the
HSPD-12, we will not be able to modify the card, and in effect
can not use the C_InitToken, as the card will not permit us to write
on it. In other words the choice of a label is out of our control.
NIST 800-73-1 defines what objects are actually on the card, and
it is not clear what fields could be mapped into what pkcs11 would
call a label. As far as I can tell NIST has not set any stsandards
on how a PIV card could be used with PKCS#11. They have asked for
"logical access" for COTS applications, which comes down to mostly
the cert and key with browsers with HTTPS, and login either localy
to the workstation, or PKINIT to AD, or Kerberos.

> Nico


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list