Project review: response sets

Nico Williams nico at
Fri Jul 13 20:08:58 EDT 2012

On Fri, Jul 13, 2012 at 5:53 PM, Dmitri Pal <dpal at> wrote:
> I would agree with you 100% if all that would have been standardized in
> the same way as smart cards but the technology is not there.

All you have to do is define an API that the application must provide
to libkrb5/plugins as a v-table.  I think the API would be rather
simple, with functions for:

 - list tokens
 - get token info
 - login to token (this takes a PIN if necessary and if there's no PIN pad)
 - get OTP (this takes a challenge if doing challenge/response)
 - logout

And maybe a few others.  Maybe you need it to look just a tad more like PKCS#11:

 - list _slots_
 - wait for / set event callback for token insertion/removal events

> By assuming that libkrb5 would be in charge of all these methods from
> get go we are creating a barrier for adoption. This of a third party
> app. One case they can do everything in their tree and another they have
> to get the code to be a part of the libkrb5.

I don't agree, see above.


More information about the krbdev mailing list