[27328] in Kerberos
Re: One Time Identification, a request for comments/testing.
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Jan 31 17:36:56 2007
Date: Wed, 31 Jan 2007 16:36:00 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <20070131223559.GU28618@binky.Central.Sun.COM>
Mail-Followup-To: "Douglas E. Engert" <deengert@anl.gov>,
g.w@hurderos.org, dev@directory.apache.org, krbdev@mit.edu,
kerberos@mit.edu
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <45C0AAE3.905@anl.gov>
Cc: dev@directory.apache.org, krbdev@mit.edu, g.w@hurderos.org,
kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jan 31, 2007 at 08:42:43AM -0600, Douglas E. Engert wrote:
> What keeps a user from copying the identity token from the USB
> device to a local or shared file system to avoid having to insert
> the USB device all the time?
>
> What are the security implications if the identity token is
> stolen?
>
> How does this compare to using cert and key on the USB
> device with PKINIT rather then your identity token?
>
> How does this compare to using a smart card or USB equivelent
> of a smartcard with PKINIT? To the user they still have to insert
> the card or USB device, and have to enter a pin or password?
You're correct -- softtokens aren't a replacement for real smartcards.
That doesn't stop a softtoken from being useful though.
Compare softtokens to passphrase-protected ssh private key files in
users' home directories :)
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos