[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pkinit, openssl engines, and cert retrieval.
-----BEGIN PGP SIGNED MESSAGE-----
Douglas E. Engert wrote:
> If you want a stable API, that would be PKCS#11. The Heimdal code could
> call this directly and would mean it could drop the engine code.
> You might also want to look at the OpenSC libp11 that is a helper lib
> for applications to make it easier to use pkcs11.
as far as I can tell, pkcs11 really doesn't allow you to expose enough
information(user/principal name for example) to be a good general
purpose identity retrieval callout interface. In my use case, I expect
to be getting x509 certs via calls to a myproxy client library. In this
case I need access to a username to use in the myproxy protocol
authentication phase. In my case it's desireable that this be the
principal name which the user is attempting to get get krb5 credentials.
I'm not sure how such information could reasonably be passed through the
pkcs11 interface(unless by some unholy means such as storing it in an
object on the "card" which would hardly be the kind of thing you want to
be hardcoded into the kerberos libraries.)
- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----