One Time Identification, a request for comments/testing. g.w at
Tue Feb 6 20:15:38 EST 2007

On Feb 5, 10:04am, Sam Hartman wrote:
} Subject: Re: One Time Identification, a request for comments/testing.

Good evening to everyone.

> >>>>> "g" == g w <g.w at> writes:
>     g> On Feb 1, 6:47pm, Sam Hartman wrote: } Subject: Re: One Time
>     g> Identification, a request for comments/testing.
>     g> Good morning to everyone, hope your weekend is going well.
>     >> OK, so the requirements you are trying to meet are:
>     >> 
>     >> 1) soft token support for flash drives.
>     >> 
>     >> 2) Support for central password management.
>     >> 
>     >> 3) Allow minimal or no identifying information on the token.
>     >> 
>     >> Any more?
>     g> Just a point of clarification.
>     g> Are we discussing requirements for general soft token support
>     g> or what OTI attempts to bring to the table?
>     g> If the latter is the case I would offer
>     g> 	- Authentication attempt unique keying.
> What is this?

OTI generates a unique symmetric key for each authentication attempt,
within a granularity of one second.  If people are convinced the
scheme has strong replay attack avoidance it could be used
bi-directionally, ie, for the AP_REP as well.

I like to think of it as OTP designed specifically for the direct
Kerberos authentication model.

>     g> 	- Token invariance across password changes.  That may actually
>     g> be a subset of #2 above.

> Why do we want this as a requirement?

Practical logistics for centralized password management.

If the user changes their password you want to avoid having to
distribute a new token to them.

}-- End of excerpt from Sam Hartman

As always,

			 The Hurderos Project
         Open Identity, Service and Authorization Management

"There's nothing in the middle of the road 'cept yellow lines and
squashed armadillos."
                                -- Mike Hightower

More information about the krbdev mailing list