One Time Identification, a request for comments/testing.
Andrew Bartlett
abartlet at samba.org
Wed Jan 31 15:51:47 EST 2007
On Wed, 2007-01-31 at 07:02 -0500, Sam Hartman wrote:
> So, the USB flash stores the 160-bit RSA encrypted user identity?
>
>
>
>
> I think that this approach or something like it could be useful. I'm
> not sure I'm happy with your key schedule, or some of the crypto
> details. I'd prefer to think about whether RFC 3961 might provide
> better options. Similarly, I'm not sure what you get out of RSA
> encryption.
>
> An alternative proposal that seems like it would do the same thing
> from a security standpoint would be a way to combine a password key
> with pkinit. You could store a soft certificate on a USB token.
I think developing a cross-platform USB 'tumb drive' based soft token
would be an immense benefit. It could make PKINIT real for many small
sites that do not yet wish to invest in a token stack, and perhaps more
importantly, make PKINIT and smart-card login something that developers
and interested technical users can test with resources to hand.
Andrew Bartlett
--
Andrew Bartlett <abartlet at samba.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070201/2e296bb5/attachment.bin
More information about the Kerberos
mailing list