Project review: response sets

Dmitri Pal dpal at
Fri Jul 13 18:42:13 EDT 2012

On 07/13/2012 06:25 PM, Dmitri Pal wrote:
> On 07/13/2012 05:57 PM, Nico Williams wrote:
>> On Fri, Jul 13, 2012 at 4:40 PM, Dmitri Pal <dpal at> wrote:
>>>> Excuse my ignorance, but why are flags necessary in the context of
>>>> prompting the user?  You don't mean that the application should be
>>> s/should be/might be
>>>> responsible for interfacing with hardware tokens plugged into token
>>>> slots, do you?
>>> Absolutely yes.
>>> Application can be prompting the user or interacting with the hardware
>>> directly.
>>> SSSD is one of such applications. It can do the first and soon will be
>>> able to do the second.
>> I understand why the application has to be the one interacting with
>> the user.  I don't understand why the application has to be the thing
>> interacting with the hardware token.  What am I missing?
> Who is going to interact with the connected OTP token or a token
> embedded into the hardware like TPM?
> Do you expect it to be the code under the Kerberos library?
> Those interactions are usually hardware and vendor specific.
> I do not think we want to embed it into the Kerberos library.
> It is perfect opportunity to offset it to intermediary like SSSD or
> similar software for other platforms.
Over time if some of those get standardized they can be moved to the
common library under kerberos but for the time being it makes sense to
leave it to the application to deal with.

>> Nico
>> --
>> _______________________________________________
>> krbdev mailing list             krbdev at

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

More information about the krbdev mailing list