Project review: response sets
nico at cryptonector.com
Fri Jul 13 20:08:58 EDT 2012
On Fri, Jul 13, 2012 at 5:53 PM, Dmitri Pal <dpal at redhat.com> wrote:
> I would agree with you 100% if all that would have been standardized in
> the same way as smart cards but the technology is not there.
All you have to do is define an API that the application must provide
to libkrb5/plugins as a v-table. I think the API would be rather
simple, with functions for:
- list tokens
- get token info
- login to token (this takes a PIN if necessary and if there's no PIN pad)
- get OTP (this takes a challenge if doing challenge/response)
And maybe a few others. Maybe you need it to look just a tad more like PKCS#11:
- list _slots_
- wait for / set event callback for token insertion/removal events
> By assuming that libkrb5 would be in charge of all these methods from
> get go we are creating a barrier for adoption. This of a third party
> app. One case they can do everything in their tree and another they have
> to get the code to be a part of the libkrb5.
I don't agree, see above.
More information about the krbdev