pkinit updates
Douglas E. Engert
deengert at anl.gov
Wed Dec 13 19:03:12 EST 2006
Nicolas Williams wrote:
> On Wed, Dec 13, 2006 at 05:17:28PM -0600, Douglas E. Engert wrote:
>
>>Nicolas Williams wrote:
>>
>>>Whereas the way I read it is that CITI/MIT's PKINIT implementation is an
>>>"application" that is free to define labels.
>>
>>Even if I agreed with you, you application has to associate the label with
>>the card, and it can not write in the card, so it has to store the
>>maping somewhere else, or derive the label from the cert.
>
>
> Huh? C_InitToken() is the administrative function to be used when
> creating the credential to set the token label.
OK, But if smartcards are assigned to us by DOE as part of the
HSPD-12, we will not be able to modify the card, and in effect
can not use the C_InitToken, as the card will not permit us to write
on it. In other words the choice of a label is out of our control.
NIST 800-73-1 defines what objects are actually on the card, and
it is not clear what fields could be mapped into what pkcs11 would
call a label. As far as I can tell NIST has not set any stsandards
on how a PIV card could be used with PKCS#11. They have asked for
"logical access" for COTS applications, which comes down to mostly
the cert and key with browsers with HTTPS, and login either localy
to the workstation, or PKINIT to AD, or Kerberos.
>
> Nico
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list