[kerberos-discuss] a suggestion for improving pkinit preauth plugin token choosing

Sam Hartman hartmans at MIT.EDU
Tue May 11 15:27:15 EDT 2010

>>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:

    Will> On Mon, May 10, 2010 at 07:57:50PM -0400, Sam Hartman wrote:
    >> I think slot/token ID is sufficient if you will try a specified
    >> slot/token even if you were not able to examine its certs because
    >> login would be required.

    Will> Just to be clear, what I'm suggesting is if the token to be
    Will> used for PKINIT requires login to access the cert then only
    Will> the slot-id and or token-label criteria in the PKCS11 URI in
    Will> krb5.conf should be set to match that token and no cert
    Will> matching criteria should be specified.  In this scenario the
    Will> algorithm I proposed would work like:

What happens if multiple certs are present on such a token?

I'm fine with "We don't support that"

More information about the krbdev mailing list