Proposal for NIM 2.0 Multiple Identity Provider User Experience andPK-INIT

Jeffrey Altman jaltman at
Tue Aug 7 22:34:38 EDT 2007

Sam Hartman wrote:
> Jeff, I'm summarizing something we discussed on the phone for the
> list.
> MIT believes that it is important to contact the KDC and find out what
> preauth types are available.  NIM must respond in a manner that is
> consistent with these preauth types.  I.E. if it is obtaining
> credentials for a given kerberos identity and pkinit is not offered by
> the KDC pkinit will not be used.
> This will produce non-intuitive behavior in the case where NIM expects
> to get credentials as a result of a certificate and pkinit is not
> offered, but I think all other cases work out reasonably well.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the krbdev mailing list