Proposal for NIM 2.0 Multiple Identity Provider User Experience andPK-INIT

Sam Hartman hartmans at MIT.EDU
Tue Aug 7 22:17:26 EDT 2007

>>>>> "Henry" == Henry B Hotz <hotz at> writes:

    Henry> My current presumption is that a smart card should be used
    Henry> if there is one plugged into a known interface at the time
    Henry> a decision needs to be made.  I'm assuming you can
    Henry> distinguish between a real smart card and a pkcs11 library
    Henry> (which may be hard, may even be undesirable in some
    Henry> debugging scenarios).

    >> you need to contact the KDC to determine if pkinit is
    >> supported.  For that matter you will also need a way of
    >> determining if password authentication is disabled for the
    >> account.  However, requiring communication with the KDC should
    >> be avoided as it leads to uncomfortable delays on slow networks
    >> or when the KDC is inaccessible.  Users do not anticipate a
    >> communication to the KDC until after they press the "Finish"
    >> button.

Jeff, I'm summarizing something we discussed on the phone for the

MIT believes that it is important to contact the KDC and find out what
preauth types are available.  NIM must respond in a manner that is
consistent with these preauth types.  I.E. if it is obtaining
credentials for a given kerberos identity and pkinit is not offered by
the KDC pkinit will not be used.

This will produce non-intuitive behavior in the case where NIM expects
to get credentials as a result of a certificate and pkinit is not
offered, but I think all other cases work out reasonably well.

More information about the krbdev mailing list