[27392] in Kerberos

home help back first fref pref prev next nref lref last post

Re: One Time Identification, a request for comments/testing.

daemon@ATHENA.MIT.EDU (g.w@hurderos.org)
Tue Feb 6 20:16:25 2007

Message-Id: <200702070115.l171FcID017074@wind.enjellic.com>
From: g.w@hurderos.org
Date: Tue, 6 Feb 2007 19:15:38 -0600
In-Reply-To: Sam Hartman <hartmans@mit.edu>
	"Re: One Time Identification, a request for comments/testing." (Feb  5,
	10:04am)
To: Sam Hartman <hartmans@mit.edu>, g.w@hurderos.org
Cc: dev@directory.apache.org, "Douglas E. Engert" <deengert@anl.gov>,
   krbdev@mit.edu, kerberos@mit.edu
Reply-To: g.w@hurderos.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On Feb 5, 10:04am, Sam Hartman wrote:
} Subject: Re: One Time Identification, a request for comments/testing.

Good evening to everyone.

> >>>>> "g" == g w <g.w@hurderos.org> writes:
> 
>     g> On Feb 1, 6:47pm, Sam Hartman wrote: } Subject: Re: One Time
>     g> Identification, a request for comments/testing.
> 
>     g> Good morning to everyone, hope your weekend is going well.
> 
>     >> OK, so the requirements you are trying to meet are:
>     >> 
>     >> 1) soft token support for flash drives.
>     >> 
>     >> 2) Support for central password management.
>     >> 
>     >> 3) Allow minimal or no identifying information on the token.
>     >> 
>     >> Any more?
> 
>     g> Just a point of clarification.
> 
>     g> Are we discussing requirements for general soft token support
>     g> or what OTI attempts to bring to the table?
> 
>     g> If the latter is the case I would offer
> 
>     g> 	- Authentication attempt unique keying.
> 
> What is this?

OTI generates a unique symmetric key for each authentication attempt,
within a granularity of one second.  If people are convinced the
scheme has strong replay attack avoidance it could be used
bi-directionally, ie, for the AP_REP as well.

I like to think of it as OTP designed specifically for the direct
Kerberos authentication model.

>     g> 	- Token invariance across password changes.  That may actually
>     g> be a subset of #2 above.

> Why do we want this as a requirement?

Practical logistics for centralized password management.

If the user changes their password you want to avoid having to
distribute a new token to them.

}-- End of excerpt from Sam Hartman

As always,
Greg

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"There's nothing in the middle of the road 'cept yellow lines and
squashed armadillos."
                                -- Mike Hightower
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post