a suggestion for improving pkinit preauth plugin token choosing

Douglas E. Engert deengert at anl.gov
Wed May 12 10:46:42 EDT 2010

I am still catching up on this thread, but had to make one comment:

Henry B. Hotz wrote:

> <rant!!>
> By definition a person can only have one PIV card. 

In the strictest sense yes, as the PIV also defines the PKI policies and
infrastructure as defined by the U.S. Gov and they say one card. But PIV-Interoperable
and PIV-Compatable would allow for more then one card. PIV-C and PIV-I basically
use the  same type of card, but the certs are issued by some other organization.
With PIV-I there is some trust by U.S. gov with PIV-C there is no trust.
(I expect PIV-C to catch on, as the PIV card could become the defacto standard card.)
To PKINIT these all look like PIV cards.  So I could have more then one PIV card.

A possible senerio: I forgot my card at home, so I get issued a one day temp
card with locally issued credentials good enough to let me login in.

> Therefore if you have a person with a user account and 2-3 admin accounts, you should be able to use the PIV card for any of those.  (The UI model of having the card plug-in select the login account is just broken, and I've spoken to people at NASA and some DOE labs who agree with me.)  
> Furthermore the card is usually issued by a different organization from the one using/deploying the card, so *any* use of the issuer-defined UPN value in the card's certificate is almost certainly wrong!
> Linux with the Debian pam_krb5 is way, way easier to set up than Apple or Microsoft, because they don't do a bunch of inappropriate things based on the UPN.  Every time I think about all the time I've wasted dealing with the problems caused by all the time Apple and MS wasted creating those problems in the first place I just want to. . . 
> </rant!!>

Yes I agree, IMHO having the UPN on the card is a hold over from Microsoft's early
implementations that assumed cards where issued by the domain. W2008 AD servers and
W7 clients can be configured to not require this.

> OK, I'm better now, I think.  More below.


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list