[15776] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: a suggestion for improving pkinit preauth plugin token choosing

daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon May 10 05:21:10 2010

From: Sam Hartman <hartmans@mit.edu>
To: kerberos-discuss <kerberos-discuss@opensolaris.org>
Date: Mon, 10 May 2010 05:21:06 -0400
In-Reply-To: <20100507223059.GA1973@sun.com> (Will Fiveash's message of "Fri, 
	7 May 2010 17:30:59 -0500")
Message-ID: <tsl7hncun7h.fsf@mit.edu>
MIME-Version: 1.0
Cc: MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

I agree that what you propose is an improvement over the current
algorithm.

I'm uncomfortable with two things.

1) No way at all to deal with tokens that require login.  I wouldn't
mind if this needed to be explicitly enabled.  I think what the
discussions so far have suggested is that we know of no smart cards
falling into this category especially because they will not work with
the MS model, but we do know of non-smart-card PKCS11 devices falling
into this category.

2) Prompting user to insert smart card if none are found.

I think I'm in the rough on #2.

Neither of these are blocking issues.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post