[27341] in Kerberos

home help back first fref pref prev next nref lref last post

Re: One Time Identification, a request for comments/testing.

daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Thu Feb 1 17:17:08 2007

Date: Thu, 01 Feb 2007 17:15:56 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: g.w@hurderos.org, "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <4AEC84FC76C65F40BA5C6E5C@sirius.fac.cs.cmu.edu>
In-Reply-To: <200702012106.l11L6L7w001647@wind.enjellic.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: dev@directory.apache.org, Jeffrey Hutzelman <jhutz@cmu.edu>,
   krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu



On Thursday, February 01, 2007 03:06:21 PM -0600 g.w@hurderos.org wrote:

>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
>
> We were considering public flogging but were unsure if we could get it
> into an IETF draft.

<wg chair hat on>

Anyone can submit an internet-draft; just write up your proposal according 
to <http://www.ietf.org/ietf/1id-guidelines.html> and send it off to 
internet-drafts@ietf.org.

You should then bring up your proposal on the Kerberos Working Group 
mailing list, ietf-krb-wg@anl.gov.  We're beginning to move into the area 
of preauthentication and improving the initial authentication exchange, and 
while I can't guarantee that your proposal will be well-received, it will 
certainly receive the same consideration as a number of others that have 
recently been raised.

<wg chair hat off>


> Security starts with user training and making it unnecessary for them
> to want to do things like that.

In this case, I think that is unrealistic.  The thing users want to avoid 
is "Oh, damn, I have to dig out this stupid USB thing and plug it in before 
I can use my computer, what a pain."  They'll do that by copying the file 
off, especially after the first few instances of "Oh, damn, I have to dig 
out this stupid USB thing and plug it in to use my laptop, and I can't 
because I'm in Europe and the USB thingy is in Pittsburgh".


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post