pkinit updates

Jeffrey Hutzelman jhutz at
Mon Dec 18 19:38:46 EST 2006

On Wednesday, December 13, 2006 01:16:40 PM -0500 Jim Rees <rees at> 

>   Using token labels would allow users to establish token naming
>   conventions that provide a reasonable default for PKINIT clients.
>   This would be useful -- who wants to train users on how to use this -X
>   option?  And anyways, a PAM PKINIT-able module would need to be able to
>   find the right token with minimal configuration and interaction.
> Token labels are only needed if you anticipate having more than one token,
> and you don't want to use the slot id.

... or can't use the slot ID, because the (multiple) tokens are USB devices 
and you can't predict which device will end up with which slot.

> Would there be any value in trying to automatically find the right token,
> maybe by looking for one whose label matches the principal?

How about looking for one with a certificate whose PKINIT SAN matches the 
principal?  I would certainly see that as useful for some deployments.

-- Jeff

More information about the krbdev mailing list