[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Enforce EKU requirements for client tokens during PKINIT

On Jan 28, 2008, at 5:38 PM, Henry B. Hotz wrote:

> I expect to need to do pkinit with PIV card certs which contain a  
> the Microsoft attributes.  However I will need to ignore those  
> attributes.
> I'm not convinced the usage context for the cards is so performance  
> sensitive that re-searching the card is unacceptable.  If our use  
> case is always the second or third check, then it's nice the cert's  
> are cached though.

I like to generalize, and while I can't think of a use case where  
someone has multiple tokens simultaneously connected with hundreds of  
certs on each doesn't mean that one doesn't exist.  :)

-- Tim