Proposal for NIM 2.0 Multiple Identity Provider User Experience andPK-INIT

Henry B. Hotz hotz at
Wed Aug 8 14:37:20 EDT 2007

On Aug 7, 2007, at 7:17 PM, Sam Hartman wrote:

>>>>>> "Henry" == Henry B Hotz <hotz at> writes:
>     Henry> My current presumption is that a smart card should be used
>     Henry> if there is one plugged into a known interface at the time
>     Henry> a decision needs to be made.  I'm assuming you can
>     Henry> distinguish between a real smart card and a pkcs11 library
>     Henry> (which may be hard, may even be undesirable in some
>     Henry> debugging scenarios).
>>> you need to contact the KDC to determine if pkinit is
>>> supported.  For that matter you will also need a way of
>>> determining if password authentication is disabled for the
>>> account.  However, requiring communication with the KDC should
>>> be avoided as it leads to uncomfortable delays on slow networks
>>> or when the KDC is inaccessible.  Users do not anticipate a
>>> communication to the KDC until after they press the "Finish"
>>> button.
> Jeff, I'm summarizing something we discussed on the phone for the
> list.
> MIT believes that it is important to contact the KDC and find out what
> preauth types are available.  NIM must respond in a manner that is
> consistent with these preauth types.  I.E. if it is obtaining
> credentials for a given kerberos identity and pkinit is not offered by
> the KDC pkinit will not be used.
> This will produce non-intuitive behavior in the case where NIM expects
> to get credentials as a result of a certificate and pkinit is not
> offered, but I think all other cases work out reasonably well.

That would seem to be a configuration error (though I couldn't say if  
it's on the KDC or in NIM).  In any case wouldn't it be fairly easy  
to notice and give a fairly specific/meaningful error message?

As a matter of curiosity, Jeff, the case where the client wants  
PKINIT, but doesn't have a smart card:  would that be with the key  
file(s) on a USB flash drive, or does someone actually want a  
password-protected local file to be the ID authority?
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list