>>>>> "Kevin" == Kevin Coffman <kwc at citi.umich.edu> writes:
Kevin> Is there a need/desire to have a per-principal db attribute
Kevin> which requires a user to use pkinit to authenticate?
That sounds like it would be too much of a tie between the base code
and pkinit without some abstraction.
I wonder whether overloading the hw_auth attribute is sufficient.