pkinit updates

Jeffrey Hutzelman jhutz at
Tue Dec 19 18:55:44 EST 2006

On Tuesday, December 19, 2006 05:38:42 PM -0600 Nicolas Williams 
<Nicolas.Williams at> wrote:

> On Tue, Dec 19, 2006 at 06:31:47PM -0500, Jeffrey Hutzelman wrote:
>> > Certs w/o PKINIT SANs can be used with PKINIT...
>> Yes, but you can't match your principal name against their PKINIT SAN's
>> to  decide which one to use.  So you'd need some other approach.
> Well, you could try 'em all!  Particularly if you know what principal
> you want to be.

Well, no, you can't, because actually using them is generally going to 
involve prompting for PIN's, and you neither want to prompt the user for 
every PIN on the card nor try any PIN on a key other than the one the user 
intended you to use it with.

More information about the krbdev mailing list