On 6/6/2011 7:19 AM, Martin Paljak wrote: > > On Jun 6, 2011, at 15:01 , Viktor Tarasov wrote: > >> Le 06/06/2011 11:22, Martin Paljak a écrit : >>> Hello, >>> >>> >>> Just a quick notice that a section about "certificate compatibility" >>> seems justified somewhere in documentation. >> >> Yes, it would be very useful. >> I imagine that subtle expert knowledge of the subject is needed, for example >> when it's going about BaseCSP, minidriver, SmartcardLogon, ... > Maybe we can re-use the knowledge of EJBCA folks here, maybe their > documentation even already includes necessary bits and pieces of information, > I have not checked. Also PKIX docs are useful, but to get certificates > "right" requires some time and effort. That's why setting up a really CA is > not the same as running some OpenSSL commands... Root key secrecy, policies, > certificate profiles etc require a lot of work to get right for a setup. >
What is in a certificate is not really OpenSC's concern, but the concern of the CA, and since we are talking login, and usually to Windows AD the concern of the DC or Kerberos KDC administrators. This is a good starting point: http://support.microsoft.com/kb/281245 Or: http://blogs.msdn.com/b/shivaram/ Google for: AD smartcard login Under the covers, AD is using the Kerberos PKINIT protocol, so much of this applies to Linux with pam_krb5 to AD or to a MIT or Heimdal KDC, and krb5.conf has many parameters used by the PKINIT code. Google for: pam_krb5 PKINIT > > Cheers, > Martin -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
