One Time Identification, a request for comments/testing.

Jeffrey Hutzelman jhutz at
Thu Feb 1 17:15:56 EST 2007

On Thursday, February 01, 2007 03:06:21 PM -0600 g.w at wrote:

>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
> We were considering public flogging but were unsure if we could get it
> into an IETF draft.

<wg chair hat on>

Anyone can submit an internet-draft; just write up your proposal according 
to <> and send it off to 
internet-drafts at

You should then bring up your proposal on the Kerberos Working Group 
mailing list, ietf-krb-wg at  We're beginning to move into the area 
of preauthentication and improving the initial authentication exchange, and 
while I can't guarantee that your proposal will be well-received, it will 
certainly receive the same consideration as a number of others that have 
recently been raised.

<wg chair hat off>

> Security starts with user training and making it unnecessary for them
> to want to do things like that.

In this case, I think that is unrealistic.  The thing users want to avoid 
is "Oh, damn, I have to dig out this stupid USB thing and plug it in before 
I can use my computer, what a pain."  They'll do that by copying the file 
off, especially after the first few instances of "Oh, damn, I have to dig 
out this stupid USB thing and plug it in to use my laptop, and I can't 
because I'm in Europe and the USB thingy is in Pittsburgh".

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the krbdev mailing list