Project review: response sets

Nico Williams nico at
Fri Jul 13 18:51:38 EDT 2012

On Fri, Jul 13, 2012 at 5:42 PM, Dmitri Pal <dpal at> wrote:
>> It is perfect opportunity to offset it to intermediary like SSSD or
>> similar software for other platforms.
> Over time if some of those get standardized they can be moved to the
> common library under kerberos but for the time being it makes sense to
> leave it to the application to deal with.

I don't think we should conflate how to talk to a piece of hardware
with how to talk to the user.

I would rather see the application tell libkrb5/plugins how to access
available hardware (e.g., "use this PKCS#11 DLL", "use these callbacks
to talk to the token"), and to separate this from interaction with the

If there are 5 tokens that can be accessed with three different
libraries I'd expect the app to use some gic_opt to tell the plugin
about the three libraries and let the plugin list the tokens.  Later
the plugin might want the user to choose a token.  The question and
response need not be anything more than strings, really, and the
plugin can use the selected token with the correct library.


More information about the krbdev mailing list