a suggestion for improving pkinit preauth plugin token choosing

Sam Hartman hartmans at MIT.EDU
Mon May 10 05:21:06 EDT 2010

I agree that what you propose is an improvement over the current

I'm uncomfortable with two things.

1) No way at all to deal with tokens that require login.  I wouldn't
mind if this needed to be explicitly enabled.  I think what the
discussions so far have suggested is that we know of no smart cards
falling into this category especially because they will not work with
the MS model, but we do know of non-smart-card PKCS11 devices falling
into this category.

2) Prompting user to insert smart card if none are found.

I think I'm in the rough on #2.

Neither of these are blocking issues.

More information about the krbdev mailing list