Re: pkinit, openssl engines, and cert retrieval.

[Matthew Andrews <matt@slackers.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Douglas E. Engert wrote:
> 
> 

> 
> If you want a stable API, that would be PKCS#11. The Heimdal code could
> call this directly and would mean it could drop the engine code.
> You might also want to look at the OpenSC libp11 that is a helper lib
> for applications to make it easier to use pkcs11.
> 
> 
as far as I can tell, pkcs11 really doesn't allow you to expose enough
information(user/principal name for example) to be a good general
purpose identity retrieval callout interface. In my use case, I expect
to be getting x509 certs via calls to a myproxy client library. In this
case I need access to a username to use in the myproxy protocol
authentication phase. In my case it's desireable that this be the
principal name which the user is attempting to get get krb5 credentials.

I'm not sure how such information could reasonably be passed through the
 pkcs11 interface(unless by some unholy means such as storing it in an
object on the "card" which would hardly be the kind of thing you want to
be hardcoded into the kerberos libraries.)


- -Matt Andrews


>>
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFDWgTGpLF3UzlwZVgRAlTtAJ9+DjndIHyXgAo2gs8tApnN4jkYdQCcCxIv
OFwsC1Muyp66EcolEv39v9o=
=DmhC
-----END PGP SIGNATURE-----