RE: Was a smartcard used to get the ticket?

["Huang, Peter (GT/PGS-Palo Alto)" <peter.huang@hp.com>]

Title: Re: Was a smartcard used to get the ticket?

I think this is an interesting issue in PKINIT implementation since PKINIT cannot guarantee that hw-token is been used.  However, it is good to know that hw-authent bit is been used.  I know Microsoft is not using this bit even one authenticate using smartcard logon.  So it would be nice if the kerberos RFC be specific on the process where hw-authent flag can be used, then one can implemented a compliance plugin/library.  I know at the time of RFC, there weren't that many hw-tokens out there.  However, there are plenty of token vendors today and I really like to see hw-token support in kerberos.   I agree with Ken, this is more than a bit setting

 

-peter huang 

---

From: Ken Hornstein
Sent: Wed 8/8/2007 8:01 AM
To: heimdal-discuss@sics.se
Subject: Re: Was a smartcard used to get the ticket?

>There is a hw-authent bit in the TicketFlags, the the KDC should set if a
>hardware device was used to authenticate. But for some this is not enought
>information.

Just my $0.02:

We use the hw-authent bit in the ticket flags (we do not use PKINIT, but
we use hardware tokens for preauthentication).  We actually make decisions
on application server to allow or deny access to certain machines based
on whether or not a hardware token was used to get a ticket.

If all you want is a flag that says "yes, this person used PKINIT", well,
I think that's perfectly reasonable to use.  Now technically you don't
have to use a smartcard to use PKINIT.  If you want to differentiate
between smartcard and non-smartcard uses of PKINIT then a single bit won't
cut it, but that wasn't what you asked for.

--Ken