pkinit updates
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Dec 19 18:31:47 EST 2006
On Tuesday, December 19, 2006 05:08:00 PM -0600 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Tue, Dec 19, 2006 at 05:42:43PM -0500, Jeffrey Hutzelman wrote:
>> You use the one whose SAN matches your principal name. If there is more
>> than one, you use the first one, or prompt the user. Of course, even
>> that only helps if the certs in question have PKINIT SAN's, and a lot
>> of them won't.
>
> Certs w/o PKINIT SANs can be used with PKINIT...
Yes, but you can't match your principal name against their PKINIT SAN's to
decide which one to use. So you'd need some other approach.
More information about the krbdev
mailing list