[27325] in Kerberos
Re: One Time Identification, a request for comments/testing.
daemon@ATHENA.MIT.EDU (Andrew Bartlett)
Wed Jan 31 16:51:44 2007
From: Andrew Bartlett <abartlet@samba.org>
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <tsl7iv3e74s.fsf@cz.mit.edu>
Date: Thu, 01 Feb 2007 07:51:47 +1100
Message-Id: <1170276707.8708.11.camel@amy.samba4.abartlet.net>
Mime-Version: 1.0
Cc: dev@directory.apache.org, krbdev@mit.edu, g.w@hurderos.org,
kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============0408083355=="
Errors-To: kerberos-bounces@mit.edu
--===============0408083355==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-UZvz/t5FWRRoEZgVpok6"
--=-UZvz/t5FWRRoEZgVpok6
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2007-01-31 at 07:02 -0500, Sam Hartman wrote:
> So, the USB flash stores the 160-bit RSA encrypted user identity?
>=20
>=20
>=20
>=20
> I think that this approach or something like it could be useful. I'm
> not sure I'm happy with your key schedule, or some of the crypto
> details. I'd prefer to think about whether RFC 3961 might provide
> better options. Similarly, I'm not sure what you get out of RSA
> encryption.
>=20
> An alternative proposal that seems like it would do the same thing
> from a security standpoint would be a way to combine a password key
> with pkinit. You could store a soft certificate on a USB token.
I think developing a cross-platform USB 'tumb drive' based soft token
would be an immense benefit. It could make PKINIT real for many small
sites that do not yet wish to invest in a token stack, and perhaps more
importantly, make PKINIT and smart-card login something that developers
and interested technical users can test with resources to hand.
Andrew Bartlett
--=20
Andrew Bartlett <abartlet@samba.org>
--=-UZvz/t5FWRRoEZgVpok6
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBFwQFjz4A8Wyi0NrsRAg5HAKCq9LAF+IhoeePBNpmuYAG5yHdRmwCfaqJ3
+6nV1UOgehXTbkchroaCwC8=
=DLDa
-----END PGP SIGNATURE-----
--=-UZvz/t5FWRRoEZgVpok6--
--===============0408083355==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0408083355==--