pkinit updates
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Dec 19 18:55:44 EST 2006
On Tuesday, December 19, 2006 05:38:42 PM -0600 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Tue, Dec 19, 2006 at 06:31:47PM -0500, Jeffrey Hutzelman wrote:
>> > Certs w/o PKINIT SANs can be used with PKINIT...
>>
>> Yes, but you can't match your principal name against their PKINIT SAN's
>> to decide which one to use. So you'd need some other approach.
>
> Well, you could try 'em all! Particularly if you know what principal
> you want to be.
Well, no, you can't, because actually using them is generally going to
involve prompting for PIN's, and you neither want to prompt the user for
every PIN on the card nor try any PIN on a key other than the one the user
intended you to use it with.
More information about the krbdev
mailing list