[15749] in Kerberos_V5_Development
Re: [kerberos-discuss] smart card token label question
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon May 3 19:41:10 2010
Date: Mon, 3 May 2010 18:39:06 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Message-ID: <20100503233906.GI9429@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <BB9B4B81-FC6E-47C6-BEDF-858E8AB012F8@jpl.nasa.gov>
Cc: kerberos-discuss <kerberos-discuss@opensolaris.org>,
MIT Kerberos Dev List <krbdev@mit.edu>,
"Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, May 03, 2010 at 04:31:04PM -0700, Henry B. Hotz wrote:
> On May 3, 2010, at 3:40 PM, Nicolas Williams wrote:
> > The problem is that some tokens pretend that there are no public objects
> > unless you've logged in. So if there's several tokens in the system and
> > one needs to choose between them (e.g., between an SCA6000 and one of
> > several smartcards) at logon time, the questions are: how to narrow down
> > the choices, and how to present the remaining choices to the user.
>
> The cert on a PIV-II card is readable without the PIN. According to
> Doug that's precisely to avoid the problems you're talking about. ;-)
I understood that :) But is it true of all cards? I assumed not (it's
not true of SCA-6000s, for example, though that's not a smartcard).
However, if it's true of most cards then I think that's good enough.
> > Also, asking that the PKINIT pre-auth plugin understand CHUID seems... a
> > bit much.
> >
> > The simplest answer is, of course, to ensure that one has just one slot :)
> > But that's not as easy as it sounds.
>
> Seems to be normal to have multiple slots around.
Almost inevitable, and even multiple slots that have tokens present.
> MacOS has a poorly-documented keychain search algorithm, but the
> keychain representing a physically plugged-in smart card always comes
> first.
Oh, interesting. You'd probably not want that on Solaris, where the
user-land crypto API of choice is PKCS#11, with a softtoken to provide
software implementations of mechanisms -- this can and may have led to
apps that aren't multi-slot-aware.
Thanks,
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev