Proposal for NIM 2.0 Multiple Identity Provider User Experience andPK-INIT

Jeffrey Altman jaltman at
Tue Aug 7 15:03:05 EDT 2007

Henry B. Hotz wrote:
> My current presumption is that a smart card should be used if there  
> is one plugged into a known interface at the time a decision needs to  
> be made.  I'm assuming you can distinguish between a real smart card  
> and a pkcs11 library (which may be hard, may even be undesirable in  
> some debugging scenarios).

PKINIT does not require a smart card.  It requires a certificate and
a private key.  The certificate and private key may reside on a smart
card but it doesn't have to.  KFW will not be using PKCS#11.  Instead
it will be using Microsoft CAPI.  This will enable the use of the
Windows certificate store as a source of certificates and private keys
for use with PKINIT.

>  From a service provider viewpoint the direction I'm considering is  
> to support the cards and as a fallback some kind of OTP scheme for  
> each Kerberos principal.  Each principal/identity would have the  
> option of using either.  The selection of which to use would be made  
> at the client based most likely on whether a card reader with card  
> was available.

As described in the proposal, the user can perform an initial
authentication using the certificate, if so, that certificate can be
used to obtain Kerberos v5 credentials in the same way that initial
authentication to Kerberos v5 can be used to obtain AFS tokens or
Kerberos v4 tickets.

If the user doesn't have a smartcard/certificate or wishes to
authentication via a password or OTP, the user can perform initial
authentication using the Kerberos v5 principal directly.

This approach permits the use of a single smartcard/certificate to
obtain credentials for multiple Kerberos v5 principals.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list