pkinit updates
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Dec 18 19:38:46 EST 2006
On Wednesday, December 13, 2006 01:16:40 PM -0500 Jim Rees <rees at umich.edu>
wrote:
> Using token labels would allow users to establish token naming
> conventions that provide a reasonable default for PKINIT clients.
>
> This would be useful -- who wants to train users on how to use this -X
> option? And anyways, a PAM PKINIT-able module would need to be able to
> find the right token with minimal configuration and interaction.
>
> Token labels are only needed if you anticipate having more than one token,
> and you don't want to use the slot id.
... or can't use the slot ID, because the (multiple) tokens are USB devices
and you can't predict which device will end up with which slot.
> Would there be any value in trying to automatically find the right token,
> maybe by looking for one whose label matches the principal?
How about looking for one with a certificate whose PKINIT SAN matches the
principal? I would certainly see that as useful for some deployments.
-- Jeff
More information about the krbdev
mailing list