HW-AUTHENT flag question

Henry B. Hotz hotz at jpl.nasa.gov
Wed Feb 10 19:36:11 EST 2010

On Feb 10, 2010, at 2:32 PM, krbdev-request at mit.edu wrote:

> Plus there is still the (difficult) question of how a KDC can actually
> tell the different between a Client/User wielding a hardware-smartcard
> versus one that uses a software-smartcard.

I don't think that issue can be resolved generally.

However I think it can be easily resolved for any particular enterprise.  The certs used on the cards are going to be handled organizationally in a particular place and way (or small number of same).  

What's needed is some KDC config information that says to turn on the HW-AUTHENT flag if the cert matches some distinguishing criteria.  My NASA PIV card has a cert with a subject DN which ends in "...OU=PIV,OU=NASA,O=U.S. Government,C=US".  It also has the 2.16.840. policy extension, indicating it's a PIV cert, and it has the Microsoft smart card EKU.  Any one, or possibly some combination of those characteristics could be sufficient to say the cert belongs to a physical card.

My email cert is issued by a different part of our infrastructure.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list