pkinit preauth plugin issue

Sam Hartman hartmans at MIT.EDU
Wed Feb 10 12:15:54 EST 2010

As I indicated on the release team call yesterday, I strongly object to
pkinit using gak_data as a pin for access to smart cards.  The reason is
that confusing pins and passwords can be problematic and can lead to
card lock outs.

I think an API that took some slot identifier or token identifier and a
pin and fed them to pkinit would be a great idea though.

More information about the krbdev mailing list