Proposal for NIM 2.0 Multiple Identity Provider User Experience andPK-INIT

Henry B. Hotz hotz at
Tue Aug 7 13:13:34 EDT 2007

My current presumption is that a smart card should be used if there  
is one plugged into a known interface at the time a decision needs to  
be made.  I'm assuming you can distinguish between a real smart card  
and a pkcs11 library (which may be hard, may even be undesirable in  
some debugging scenarios).

 From a service provider viewpoint the direction I'm considering is  
to support the cards and as a fallback some kind of OTP scheme for  
each Kerberos principal.  Each principal/identity would have the  
option of using either.  The selection of which to use would be made  
at the client based most likely on whether a card reader with card  
was available.

On Aug 7, 2007, at 9:06 AM, krbdev-request at wrote:

> The user interface becomes more complex.  Not only does the user  
> have to
> remember their Kerberos v5 identity but they have to now choose  
> between
> password and certificate/smartcard authentication.  If you want to  
> make
> the prompts smart, then you need to contact the KDC to determine if
> pkinit is supported.  For that matter you will also need a way of
> determining if password authentication is disabled for the account.
> However, requiring communication with the KDC should be avoided as it
> leads to uncomfortable delays on slow networks or when the KDC is
> inaccessible.  Users do not anticipate a communication to the KDC  
> until
> after they press the "Finish" button.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list