pkinit slotid=N ?

Sam Hartman hartmans at MIT.EDU
Mon Jan 14 09:53:29 EST 2008

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at> writes:

    Nicolas> IIRC we discussed this in the past.  

We sure did.

    Nicolas> One possibility is
    Nicolas> to search the token for a suitable cert and use the first
    Nicolas> one found that can be used successfully.  Another is to
    Nicolas> use all the certs that can be used successfully and store
    Nicolas> all the resulting TGTs in the same ccache -- pick a
    Nicolas> default principal name for the ccache however you like :)
    Nicolas> (e.g., the first cert's).

If you are going to bring up past discussions and restate your
position, please also restate the opposing views and explain why we
came to different conclusions.  If you don't remember, please at least
state that the position you bring up now was considered and after
considering it the group decided to do something else.

Considerations driving the ultimate decision included:

* Requiring multiple pins is highly problematic; you should only ask for the pin when you're sure you have the right cert.

* You need to be careful in how you ask for the pin; the user needs to know what pin you want otherwise you might disable a card.

* I believe there was discussion of  a need to support cards where a pin was required to enumerate what certs were available.

If someone wants to create a project to improve the pkinit cert
selection that would be wonderful.  The README for the 1.6.3 release
states that this code is alpha and may change; I don't think we have a
strong interface stability guarantee for pkinit at this time.

In order for such a project to be evaluated by the community it would
need to include a summary of the previous discussion and would need to
explain why we were wrong or how the conclusions of the previous
discussion are being extended.

Sam Hartman
Chief Technologist, MIT Kerberos Consortium

More information about the krbdev mailing list