Proposal for NIM 2.0 Multiple Identity Provider User Experience andPK-INIT

[Henry B. Hotz]

My current presumption is that a smart card should be used if there  
is one plugged into a known interface at the time a decision needs to  
be made.  I'm assuming you can distinguish between a real smart card  
and a pkcs11 library (which may be hard, may even be undesirable in  
some debugging scenarios).

 From a service provider viewpoint the direction I'm considering is  
to support the cards and as a fallback some kind of OTP scheme for  
each Kerberos principal.  Each principal/identity would have the  
option of using either.  The selection of which to use would be made  
at the client based most likely on whether a card reader with card  
was available.

On Aug 7, 2007, at 9:06 AM, krbdev-request at mit.edu wrote:

> The user interface becomes more complex.  Not only does the user  
> have to
> remember their Kerberos v5 identity but they have to now choose  
> between
> password and certificate/smartcard authentication.  If you want to  
> make
> the prompts smart, then you need to contact the KDC to determine if
> pkinit is supported.  For that matter you will also need a way of
> determining if password authentication is disabled for the account.
> However, requiring communication with the KDC should be avoided as it
> leads to uncomfortable delays on slow networks or when the KDC is
> inaccessible.  Users do not anticipate a communication to the KDC  
> until
> after they press the "Finish" button.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu