[15749] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: [kerberos-discuss] smart card token label question

daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon May 3 19:41:10 2010

Date: Mon, 3 May 2010 18:39:06 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Message-ID: <20100503233906.GI9429@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <BB9B4B81-FC6E-47C6-BEDF-858E8AB012F8@jpl.nasa.gov>
Cc: kerberos-discuss <kerberos-discuss@opensolaris.org>,
   MIT Kerberos Dev List <krbdev@mit.edu>,
   "Douglas E. Engert" <deengert@anl.gov>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Mon, May 03, 2010 at 04:31:04PM -0700, Henry B. Hotz wrote:
> On May 3, 2010, at 3:40 PM, Nicolas Williams wrote:
> > The problem is that some tokens pretend that there are no public objects
> > unless you've logged in.  So if there's several tokens in the system and
> > one needs to choose between them (e.g., between an SCA6000 and one of
> > several smartcards) at logon time, the questions are: how to narrow down
> > the choices, and how to present the remaining choices to the user.
> 
> The cert on a PIV-II card is readable without the PIN.  According to
> Doug that's precisely to avoid the problems you're talking about.  ;-)

I understood that :)  But is it true of all cards?  I assumed not (it's
not true of SCA-6000s, for example, though that's not a smartcard).
However, if it's true of most cards then I think that's good enough.

> > Also, asking that the PKINIT pre-auth plugin understand CHUID seems... a
> > bit much.
> > 
> > The simplest answer is, of course, to ensure that one has just one slot :)
> > But that's not as easy as it sounds.
> 
> Seems to be normal to have multiple slots around.

Almost inevitable, and even multiple slots that have tokens present.

> MacOS has a poorly-documented keychain search algorithm, but the
> keychain representing a physically plugged-in smart card always comes
> first.

Oh, interesting.  You'd probably not want that on Solaris, where the
user-land crypto API of choice is PKCS#11, with a softtoken to provide
software implementations of mechanisms -- this can and may have led to
apps that aren't multi-slot-aware.

Thanks,

Nico
-- 
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post