One Time Identification, a request for comments/testing.
g.w@hurderos.org
g.w at hurderos.org
Tue Feb 6 20:15:38 EST 2007
On Feb 5, 10:04am, Sam Hartman wrote:
} Subject: Re: One Time Identification, a request for comments/testing.
Good evening to everyone.
> >>>>> "g" == g w <g.w at hurderos.org> writes:
>
> g> On Feb 1, 6:47pm, Sam Hartman wrote: } Subject: Re: One Time
> g> Identification, a request for comments/testing.
>
> g> Good morning to everyone, hope your weekend is going well.
>
> >> OK, so the requirements you are trying to meet are:
> >>
> >> 1) soft token support for flash drives.
> >>
> >> 2) Support for central password management.
> >>
> >> 3) Allow minimal or no identifying information on the token.
> >>
> >> Any more?
>
> g> Just a point of clarification.
>
> g> Are we discussing requirements for general soft token support
> g> or what OTI attempts to bring to the table?
>
> g> If the latter is the case I would offer
>
> g> - Authentication attempt unique keying.
>
> What is this?
OTI generates a unique symmetric key for each authentication attempt,
within a granularity of one second. If people are convinced the
scheme has strong replay attack avoidance it could be used
bi-directionally, ie, for the AP_REP as well.
I like to think of it as OTP designed specifically for the direct
Kerberos authentication model.
> g> - Token invariance across password changes. That may actually
> g> be a subset of #2 above.
> Why do we want this as a requirement?
Practical logistics for centralized password management.
If the user changes their password you want to avoid having to
distribute a new token to them.
}-- End of excerpt from Sam Hartman
As always,
Greg
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
"There's nothing in the middle of the road 'cept yellow lines and
squashed armadillos."
-- Mike Hightower
More information about the Kerberos
mailing list