HW-AUTHENT flag question

Nicolas Williams Nicolas.Williams at sun.com
Wed Feb 10 14:42:33 EST 2010

On Wed, Feb 10, 2010 at 02:28:42PM -0500, Thomas Hardjono wrote:
> Plus there is still the (difficult) question of how a KDC can actually
> tell the different between a Client/User wielding a hardware-smartcard
> versus one that uses a software-smartcard.

You need a leap of faith no matter what in order to have any assurance
that the key was used via an acceptable smartcard, generated on the
smartcard, and non-extractable.  You can have a process such that
there's no leap of faith when the credential is provisioned, but after
that you must trust the physical defenses of the smartcard.


More information about the krbdev mailing list