HW-AUTHENT flag question
Nicolas.Williams at sun.com
Wed Feb 10 14:42:33 EST 2010
On Wed, Feb 10, 2010 at 02:28:42PM -0500, Thomas Hardjono wrote:
> Plus there is still the (difficult) question of how a KDC can actually
> tell the different between a Client/User wielding a hardware-smartcard
> versus one that uses a software-smartcard.
You need a leap of faith no matter what in order to have any assurance
that the key was used via an acceptable smartcard, generated on the
smartcard, and non-extractable. You can have a process such that
there's no leap of faith when the credential is provisioned, but after
that you must trust the physical defenses of the smartcard.
More information about the krbdev