[27341] in Kerberos
Re: One Time Identification, a request for comments/testing.
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Thu Feb 1 17:17:08 2007
Date: Thu, 01 Feb 2007 17:15:56 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: g.w@hurderos.org, "Douglas E. Engert" <deengert@anl.gov>
Message-ID: <4AEC84FC76C65F40BA5C6E5C@sirius.fac.cs.cmu.edu>
In-Reply-To: <200702012106.l11L6L7w001647@wind.enjellic.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: dev@directory.apache.org, Jeffrey Hutzelman <jhutz@cmu.edu>,
krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thursday, February 01, 2007 03:06:21 PM -0600 g.w@hurderos.org wrote:
>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
>
> We were considering public flogging but were unsure if we could get it
> into an IETF draft.
<wg chair hat on>
Anyone can submit an internet-draft; just write up your proposal according
to <http://www.ietf.org/ietf/1id-guidelines.html> and send it off to
internet-drafts@ietf.org.
You should then bring up your proposal on the Kerberos Working Group
mailing list, ietf-krb-wg@anl.gov. We're beginning to move into the area
of preauthentication and improving the initial authentication exchange, and
while I can't guarantee that your proposal will be well-received, it will
certainly receive the same consideration as a number of others that have
recently been raised.
<wg chair hat off>
> Security starts with user training and making it unnecessary for them
> to want to do things like that.
In this case, I think that is unrealistic. The thing users want to avoid
is "Oh, damn, I have to dig out this stupid USB thing and plug it in before
I can use my computer, what a pain." They'll do that by copying the file
off, especially after the first few instances of "Oh, damn, I have to dig
out this stupid USB thing and plug it in to use my laptop, and I can't
because I'm in Europe and the USB thingy is in Pittsburgh".
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos