>Does this mean the client certificate should have the policy : >1.3.6.1.4.1.311.20.2.2 > (Smart Card Logon)? > >Is it only the client certificate or CA cert should also have this policy?
Well, we don't use that particular OID; we use another one defined by our CA that indicates it comes from an approved Smart Card. But that's the basic idea. I don't want to get into a whole discussion about certificate policy; that's sort of outside of the scope of this thread. I will say that in our particlar case, it only matters that the client certificate has that policy OID on it and that's all our implementation checks for. And let me be clear; this is not something that exists in the supplied MIT Kerberos pkinit module. This is our own version of it. I've talked with MIT about incorporating our changes into their module, and they have been receptive; I just haven't had time recently to deal with it. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos