One Time Identification, a request for comments/testing. g.w at
Fri Feb 2 21:07:03 EST 2007

On Feb 2, 10:05am, Jim Rees wrote:
} Subject: Re: One Time Identification, a request for comments/testing.

Hi Jim, hope the weekend is going well for you.

> So would it be fair say this is sort of like using a smartcard in that you
> need both possession of the token and knowledge of a PIN?

Jeff already did a nice job of differentiating a smart card/PIN from
what is being suggested with OTI.

> And that the KDC guards the PIN against brute force guessing,
> because each guess requires a transaction against the KDC?  So
> stealing the token gets the attacker nothing?

Correct, the KDC is the only entity which is in a position to verify
that the expression of the identity is valid.

This is the reason why the decision was made to not encrypt the
identity token.  It actually increases the security liability if the
token is lost.  If the token is encrypted there is an opportunity for
an off-line guessing attack to yield not only the token but validation
of the password as well.

Have a good weekend.

}-- End of excerpt from Jim Rees

As always,
Greg Wettstein

			 The Hurderos Project
         Open Identity, Service and Authorization Management

"Human beings, who are almost unique in having the ability to learn
 from the experience of others, are also remarkable for their apparent
 disinclination to do so."
                                -- Douglas Adams

More information about the krbdev mailing list