directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Bartlett <abart...@samba.org>
Subject Re: One Time Identification, a request for comments/testing.
Date Wed, 31 Jan 2007 20:51:47 GMT
On Wed, 2007-01-31 at 07:02 -0500, Sam Hartman wrote:
> So, the USB flash stores the 160-bit RSA encrypted user identity?
> 
> 
> 
> 
> I think that this approach or something like it could be useful.  I'm
> not sure I'm happy with your key schedule, or some of the crypto
> details.  I'd prefer to think about whether RFC 3961 might provide
> better options.  Similarly, I'm not sure what you get out of RSA
> encryption.
> 
> An alternative proposal that seems like it would do the same thing
> from a security standpoint would be a way to combine a password key
> with pkinit.  You could store a soft certificate on a USB token.

I think developing a cross-platform USB 'tumb drive' based soft token
would be an immense benefit.  It could make PKINIT real for many small
sites that do not yet wish to invest in a token stack, and perhaps more
importantly, make PKINIT and smart-card login something that developers
and interested technical users can test with resources to hand.

Andrew Bartlett

-- 
Andrew Bartlett <abartlet@samba.org>

Mime
View raw message