[15791] in Kerberos_V5_Development
Re: [kerberos-discuss] a suggestion for improving pkinit preauth
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue May 11 15:38:58 2010
Date: Tue, 11 May 2010 14:39:00 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Sam Hartman <hartmans@mit.edu>
Message-ID: <20100511193900.GC27726@sun.com>
Mail-Followup-To: Sam Hartman <hartmans@mit.edu>,
kerberos-discuss <kerberos-discuss@opensolaris.org>,
MIT Kerberos Dev List <krbdev@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <tslzl066xyk.fsf@mit.edu>
Cc: kerberos-discuss <kerberos-discuss@opensolaris.org>,
MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, May 11, 2010 at 03:27:15PM -0400, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <will.fiveash@oracle.com> writes:
>
> Will> On Mon, May 10, 2010 at 07:57:50PM -0400, Sam Hartman wrote:
> >> I think slot/token ID is sufficient if you will try a specified
> >> slot/token even if you were not able to examine its certs because
> >> login would be required.
>
> Will> Just to be clear, what I'm suggesting is if the token to be
> Will> used for PKINIT requires login to access the cert then only
> Will> the slot-id and or token-label criteria in the PKCS11 URI in
> Will> krb5.conf should be set to match that token and no cert
> Will> matching criteria should be specified. In this scenario the
> Will> algorithm I proposed would work like:
>
> What happens if multiple certs are present on such a token?
>
> I'm fine with "We don't support that"
The way it works now > 1 cert in a token is not supported unless cert
matching rules/criteria are specified. So my proposal would not support
a token that required login to access certs and it contained > 1 cert.
I think to support that might require a new config interface.
--
Will Fiveash
Oracle
Note my new work e-mail address: will.fiveash@oracle.com
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev