One Time Identification, a request for comments/testing.
Nicolas Williams
Nicolas.Williams at sun.com
Wed Jan 31 17:36:00 EST 2007
On Wed, Jan 31, 2007 at 08:42:43AM -0600, Douglas E. Engert wrote:
> What keeps a user from copying the identity token from the USB
> device to a local or shared file system to avoid having to insert
> the USB device all the time?
>
> What are the security implications if the identity token is
> stolen?
>
> How does this compare to using cert and key on the USB
> device with PKINIT rather then your identity token?
>
> How does this compare to using a smart card or USB equivelent
> of a smartcard with PKINIT? To the user they still have to insert
> the card or USB device, and have to enter a pin or password?
You're correct -- softtokens aren't a replacement for real smartcards.
That doesn't stop a softtoken from being useful though.
Compare softtokens to passphrase-protected ssh private key files in
users' home directories :)
Nico
--
More information about the Kerberos
mailing list