Hello All, (Please excuse any inaccuracies on my part when describing the below concepts :-)
Does it make sense to extend an application, such as kinit or perhaps pam_krb5, to support the PKCS#11 Cryptoki API [1]? If so, could one use this API + glue to fulfill the needed function of the PKINIT [2] draft? The METACenter and Mario Strasser do have a PKINIT patch for Heimdal Kerberos [3], but it seems to me that the patch accesses the smartcard through the pc/sc library via pcsclite (I could totally be off on this as I am quite novice with programming). CITI has put together the K-PKI package [4], which kind of approaches this, but considers the certificate "junk" and expires it within a day. The idea here would be to issue longer lasting certificates, mainly on smartcards, but really anything that can export a PKCS#11 interface (e.g. virtual cards), and then to "allow users with public key certificates to use them in initial authentication" through PKINIT. Thanks for your feedback, Jon [1] http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html [2] http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-16.txt [3] http://meta.cesnet.cz/software/heimdal/pkinit.en.html [4] http://www.citi.umich.edu/projects/kerb_pki/ __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
