One Time Identification, a request for comments/testing.

[Nicolas Williams]

On Wed, Jan 31, 2007 at 08:42:43AM -0600, Douglas E. Engert wrote:
> What keeps a user from copying the identity token from the USB
> device to a local or shared file system to avoid having to insert
> the USB device all the time?
> 
> What are the security implications if the identity token is
> stolen?
> 
> How does this compare to using cert and key on the USB
> device with PKINIT rather then your identity token?
> 
> How does this compare to using a smart card or USB equivelent
> of a smartcard with PKINIT? To the user they still have to insert
> the card or USB device, and have to enter a pin or password?

You're correct -- softtokens aren't a replacement for real smartcards.

That doesn't stop a softtoken from being useful though.

Compare softtokens to passphrase-protected ssh private key files in
users' home directories :)

Nico
--