[15776] in Kerberos_V5_Development
Re: a suggestion for improving pkinit preauth plugin token choosing
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon May 10 05:21:10 2010
From: Sam Hartman <hartmans@mit.edu>
To: kerberos-discuss <kerberos-discuss@opensolaris.org>
Date: Mon, 10 May 2010 05:21:06 -0400
In-Reply-To: <20100507223059.GA1973@sun.com> (Will Fiveash's message of "Fri,
7 May 2010 17:30:59 -0500")
Message-ID: <tsl7hncun7h.fsf@mit.edu>
MIME-Version: 1.0
Cc: MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I agree that what you propose is an improvement over the current
algorithm.
I'm uncomfortable with two things.
1) No way at all to deal with tokens that require login. I wouldn't
mind if this needed to be explicitly enabled. I think what the
discussions so far have suggested is that we know of no smart cards
falling into this category especially because they will not work with
the MS model, but we do know of non-smart-card PKCS11 devices falling
into this category.
2) Prompting user to insert smart card if none are found.
I think I'm in the rough on #2.
Neither of these are blocking issues.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev