[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit/opensc/soft-pkcs11

To: heimdal-discuss@sics.se
Subject: Re: pkinit/opensc/soft-pkcs11
From: "Matthew N. Andrews" <matt@slackers.net>
Date: Thu, 06 Oct 2005 17:19:35 -0700
In-Reply-To: <4345770C.6080605@slackers.net>
References: <434329B9.9090401@slackers.net> <m2hdbwdp0y.fsf@dhcp-wavelan-v-222.publik.su.se> <4343F364.8020705@slackers.net> <m2ll17ccia.fsf@dhcp-wavelan-v-222.publik.su.se> <43455577.3080408@slackers.net> <43456541.3060702@anl.gov> <4345770C.6080605@slackers.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)

Hmmm...

upon further consideration I think you're right(sorta). pkcs11 is not 
really what I want here. it's more likely that what I want is actually 
simply a engine_myproxy.sa that provides ENGINE_load_private_key, and 
ENGINE_load_public_key, and ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL" ...

whee!!!!


Matthew N. Andrews wrote:
> Douglas E. Engert wrote:
> ...
> 
>>>
>>> Just in case anyone cares, my goal here is to have a pkcs11 software 
>>> token that requires login to retrieve a user key/cert pair, and to 
>>> upon "login" to actually acquire the key/cert from a globus myproxy 
>>> server.
>>
>>
>>
>> So how are you authenticating to the myproxy?
>> It is not clear why you are trying to do all of this from the the pkcs11.
>> It sounds like it should be multiple operations. Maybe via PAM.
>> Are going to use the "pin" to authenticate to the myproxy?
>>
> 
> Yes I plan on using the pin. my rational for going the pkcs11 route is 
> that it means that users will be able to acquire new credentials post 
> login simply by running kinit. The password to the myproxy server is 
> validated against an OTP server. If/when sometime down the road we shift 
> to using smart cards for authentication rather than OTP fobs, it simply 
> means that we swap out the myproxy/soft-pkcs11 library for one that 
> actually interfaces with whatever smartcard we end up standardizing on.
> 
> multi module pam stacks work fine for initial login, but I don't know of 
> a generic pam aware "acquire new credentials" application.
> 
> I'm open to alternate suggestions, but I think that the user experience 
> of having kinit do the right thing without needing the user to 
> explicitly take the myproxy step will be a win. I could just replace 
> kinit with a script that does both kinit and myproxy, however if I can 
> come up with a solution that just requires configuration changes to what 
> will ultimately be the standard heimdal code/apps rather than replacing 
> them with wrappers I'll be happier.
> 
> 
> -Matt
> 
>

Follow-Ups:
- Re: pkinit/opensc/soft-pkcs11
  - From: "Douglas E. Engert" <deengert@anl.gov>

References:
- pkinit/opensc/soft-pkcs11
  - From: "Matthew N. Andrews" <matt@slackers.net>
- Re: pkinit/opensc/soft-pkcs11
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit/opensc/soft-pkcs11
  - From: Matthew Andrews <matt@slackers.net>
- Re: pkinit/opensc/soft-pkcs11
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: pkinit/opensc/soft-pkcs11
  - From: "Matthew N. Andrews" <matt@slackers.net>
- Re: pkinit/opensc/soft-pkcs11
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: pkinit/opensc/soft-pkcs11
  - From: "Matthew N. Andrews" <matt@slackers.net>

Prev by Date: Re: pkinit/opensc/soft-pkcs11
Next by Date: Re: pkinit/opensc/soft-pkcs11
Prev by thread: Re: pkinit/opensc/soft-pkcs11
Next by thread: Re: pkinit/opensc/soft-pkcs11
Index(es):
- Date
- Thread