Support for multiple pkinit identities

Ken Hornstein kenh at
Tue Jan 12 14:14:45 EST 2021

>I think the best behavior would be to treat multiple pkinit_identities
>values like we'd treat a single DIR: value (or PKCS11 token) containing
>all of the certs, so that identity selection works on them.  That might
>be difficult to implement, though.

I agree, that might be difficult to implement.  Also, the pkinit client
code gets unhappy if it finds more than one match so combining everything
together might result in unintended failures.

In my experience (and we use PKCS11 libraries a lot, obviously), you
_generally_ don't have multiple PKCS11 libraries on the same system
that you'd want to all combine at once; it's usually one PKCS11 library
per system.

I'm in the middle of working out a patch that I think will make the
library behave in the way the documentation USED to be.  I think the
changes will be small.  If it's reasonable, do you think it could
possibly make it into 1.19?

More information about the krbdev mailing list