[kerberos-discuss] a suggestion for improving pkinit preauth plugin token choosing

[Will Fiveash]

On Tue, May 11, 2010 at 03:27:15PM -0400, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:
> 
>     Will> On Mon, May 10, 2010 at 07:57:50PM -0400, Sam Hartman wrote:
>     >> I think slot/token ID is sufficient if you will try a specified
>     >> slot/token even if you were not able to examine its certs because
>     >> login would be required.
> 
>     Will> Just to be clear, what I'm suggesting is if the token to be
>     Will> used for PKINIT requires login to access the cert then only
>     Will> the slot-id and or token-label criteria in the PKCS11 URI in
>     Will> krb5.conf should be set to match that token and no cert
>     Will> matching criteria should be specified.  In this scenario the
>     Will> algorithm I proposed would work like:
> 
> What happens if multiple certs are present on such a token?
> 
> I'm fine with "We don't support that"

The way it works now > 1 cert in a token is not supported unless cert
matching rules/criteria are specified.  So my proposal would not support
a token that required login to access certs and it contained > 1 cert.

I think to support that might require a new config interface.

-- 
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash at oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/