[27378] in Kerberos

home help back first fref pref prev next nref lref last post

Re: One Time Identification, a request for comments/testing.

daemon@ATHENA.MIT.EDU (Frank Cusack)
Sun Feb 4 23:58:04 2007

Date: Sun, 04 Feb 2007 20:57:45 -0800
From: Frank Cusack <fcusack@fcusack.com>
To: Peter Iannarelli <peteri@cryptocard.com>, kerberos@mit.edu
Message-ID: <718D7348CF1DBF8B3A6EEAA3@sucksless.local>
In-Reply-To: <45C3BF5F.4070307@cryptocard.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On February 2, 2007 5:46:55 PM -0500 Peter Iannarelli 
<peteri@cryptocard.com> wrote:
> I don't believe I've seen anyone with a token strapped to their
> notebook and their PIN etched on the case.

I know a few thousand such users.  Not with the PIN etched :-) but with
a credit card form factor token strapped to the laptop lid in a clear
plastic envelope.  Pretty convenient.

> The reality is different. Software tokena require a M2M or
> machine to machine interface (software). Deploying this software
> on 100 workstations is problematic. Multiply that by 1000, within
> a heterogeneous environment, and its an administrative nightmare.

I tend to disagree.  Yes at the few dozen or maybe even 100 machine level
it can be a chore to maintain (but installation itself should be trivial),
but once you hit multi-hundreds if you can't maintain the software you
really should worry about that first before worrying about tokens of any
sort.  Keeping user's workstation software up to date automatically is an
absolute must in any large environment, and a sunk cost as far as
administrative overhead goes.

> Hardware tokens are the most portable and most secure.

I agree with that, except for the case of smartcards and portability.

These days, I'm surprised java tokens for phones and blackberrys aren't
more popular.  The phone has the advantage that the user is very unlikely
to forget it somewhere.

-frank
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post