pkinit updates

[Nicolas Williams]

On Mon, Dec 18, 2006 at 07:38:46PM -0500, Jeffrey Hutzelman wrote:
> How about looking for one with a certificate whose PKINIT SAN matches the 
> principal?  I would certainly see that as useful for some deployments.

Not generally good enough: what if multiple certs exist on the card that
have PKINIT SANs?

At the limit the UI will just have to be able to prompt the user for
which credential to use.

Nico
--