[kerberos-discuss] a suggestion for improving pkinit preauth plugin token choosing
hartmans at MIT.EDU
Tue May 11 16:14:32 EDT 2010
>>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:
Will> On Tue, May 11, 2010 at 03:27:15PM -0400, Sam Hartman wrote:
>> >>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:
Will> On Mon, May 10, 2010 at 07:57:50PM -0400, Sam Hartman wrote:
> >> I think slot/token ID is sufficient if you will try a specified
>> >> slot/token even if you were not able to examine its certs
>> because >> login would be required.
Will> Just to be clear, what I'm suggesting is if the token to be
Will> used for PKINIT requires login to access the cert then only
Will> the slot-id and or token-label criteria in the PKCS11 URI in
Will> krb5.conf should be set to match that token and no cert
Will> matching criteria should be specified. In this scenario the
Will> algorithm I proposed would work like:
>> What happens if multiple certs are present on such a token?
>> I'm fine with "We don't support that"
Will> The way it works now > 1 cert in a token is not supported
Will> unless cert matching rules/criteria are specified. So my
Will> proposal would not support a token that required login to
Will> access certs and it contained > 1 cert.
As I said originally, I'm fine with this and agree it is a significant
More information about the krbdev