One Time Identification, a request for comments/testing.
jhutz at cmu.edu
Thu Feb 1 17:15:56 EST 2007
On Thursday, February 01, 2007 03:06:21 PM -0600 g.w at hurderos.org wrote:
>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
> We were considering public flogging but were unsure if we could get it
> into an IETF draft.
<wg chair hat on>
Anyone can submit an internet-draft; just write up your proposal according
to <http://www.ietf.org/ietf/1id-guidelines.html> and send it off to
internet-drafts at ietf.org.
You should then bring up your proposal on the Kerberos Working Group
mailing list, ietf-krb-wg at anl.gov. We're beginning to move into the area
of preauthentication and improving the initial authentication exchange, and
while I can't guarantee that your proposal will be well-received, it will
certainly receive the same consideration as a number of others that have
recently been raised.
<wg chair hat off>
> Security starts with user training and making it unnecessary for them
> to want to do things like that.
In this case, I think that is unrealistic. The thing users want to avoid
is "Oh, damn, I have to dig out this stupid USB thing and plug it in before
I can use my computer, what a pain." They'll do that by copying the file
off, especially after the first few instances of "Oh, damn, I have to dig
out this stupid USB thing and plug it in to use my laptop, and I can't
because I'm in Europe and the USB thingy is in Pittsburgh".
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the krbdev