[27325] in Kerberos

home help back first fref pref prev next nref lref last post

Re: One Time Identification, a request for comments/testing.

daemon@ATHENA.MIT.EDU (Andrew Bartlett)
Wed Jan 31 16:51:44 2007

From: Andrew Bartlett <abartlet@samba.org>
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <tsl7iv3e74s.fsf@cz.mit.edu>
Date: Thu, 01 Feb 2007 07:51:47 +1100
Message-Id: <1170276707.8708.11.camel@amy.samba4.abartlet.net>
Mime-Version: 1.0
Cc: dev@directory.apache.org, krbdev@mit.edu, g.w@hurderos.org,
   kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============0408083355=="
Errors-To: kerberos-bounces@mit.edu


--===============0408083355==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-UZvz/t5FWRRoEZgVpok6"


--=-UZvz/t5FWRRoEZgVpok6
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2007-01-31 at 07:02 -0500, Sam Hartman wrote:
> So, the USB flash stores the 160-bit RSA encrypted user identity?
>=20
>=20
>=20
>=20
> I think that this approach or something like it could be useful.  I'm
> not sure I'm happy with your key schedule, or some of the crypto
> details.  I'd prefer to think about whether RFC 3961 might provide
> better options.  Similarly, I'm not sure what you get out of RSA
> encryption.
>=20
> An alternative proposal that seems like it would do the same thing
> from a security standpoint would be a way to combine a password key
> with pkinit.  You could store a soft certificate on a USB token.

I think developing a cross-platform USB 'tumb drive' based soft token
would be an immense benefit.  It could make PKINIT real for many small
sites that do not yet wish to invest in a token stack, and perhaps more
importantly, make PKINIT and smart-card login something that developers
and interested technical users can test with resources to hand.

Andrew Bartlett

--=20
Andrew Bartlett <abartlet@samba.org>

--=-UZvz/t5FWRRoEZgVpok6
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBFwQFjz4A8Wyi0NrsRAg5HAKCq9LAF+IhoeePBNpmuYAG5yHdRmwCfaqJ3
+6nV1UOgehXTbkchroaCwC8=
=DLDa
-----END PGP SIGNATURE-----

--=-UZvz/t5FWRRoEZgVpok6--


--===============0408083355==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============0408083355==--


home help back first fref pref prev next nref lref last post