>There is a hw-authent bit in the TicketFlags, the the KDC should set if a
>hardware device was used to authenticate. But for some this is not enought
>information.
Just my $0.02:
We use the hw-authent bit in the ticket flags (we do not use PKINIT, but
we use hardware tokens for preauthentication). We actually make decisions
on application server to allow or deny access to certain machines based
on whether or not a hardware token was used to get a ticket.
If all you want is a flag that says "yes, this person used PKINIT", well,
I think that's perfectly reasonable to use. Now technically you don't
have to use a smartcard to use PKINIT. If you want to differentiate
between smartcard and non-smartcard uses of PKINIT then a single bit won't
cut it, but that wasn't what you asked for.
--Ken