One Time Identification, a request for comments/testing.

Andrew Bartlett abartlet at
Wed Jan 31 15:51:47 EST 2007

On Wed, 2007-01-31 at 07:02 -0500, Sam Hartman wrote:
> So, the USB flash stores the 160-bit RSA encrypted user identity?
> I think that this approach or something like it could be useful.  I'm
> not sure I'm happy with your key schedule, or some of the crypto
> details.  I'd prefer to think about whether RFC 3961 might provide
> better options.  Similarly, I'm not sure what you get out of RSA
> encryption.
> An alternative proposal that seems like it would do the same thing
> from a security standpoint would be a way to combine a password key
> with pkinit.  You could store a soft certificate on a USB token.

I think developing a cross-platform USB 'tumb drive' based soft token
would be an immense benefit.  It could make PKINIT real for many small
sites that do not yet wish to invest in a token stack, and perhaps more
importantly, make PKINIT and smart-card login something that developers
and interested technical users can test with resources to hand.

Andrew Bartlett

Andrew Bartlett <abartlet at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list