Re: [opensc-devel] PKCS#11 forwarding driver?

Timothy J. Miller Mon, 02 Jul 2007 12:37:14 -0700

There is no getting around the enrollment trust problem. Most sensible smartcard and PKI deployments handle this via an enrollment ceremony that involves a face-to-face component.


-- TIm


On Jul 2, 2007, at 1:59 PM, Alon Bar-Lev wrote:

On 7/2/07, Jim Rees <[EMAIL PROTECTED]> wrote:
We do something like this to translate kerberos tickets into cert/ key usable from pkcs11. But it only makes sense if you have some way to convince the CA that it should sign the keypair and issue a cert. In our case that's
kerberos.  Otherwise, how can anyone trust the cert?
But Kerberos is weaker than PKI in term of authentication.
You can use PKI in order to authenticate to Kerberos.
So you have static certificate for user and dynamic authorization
using kerberos.

Alon.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PKCS#11 forwarding driver?

Reply via email to