directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sam Hartman <hartm...@mit.edu>
Subject Re: One Time Identification, a request for comments/testing.
Date Wed, 31 Jan 2007 12:02:43 GMT
So, the USB flash stores the 160-bit RSA encrypted user identity?




I think that this approach or something like it could be useful.  I'm
not sure I'm happy with your key schedule, or some of the crypto
details.  I'd prefer to think about whether RFC 3961 might provide
better options.  Similarly, I'm not sure what you get out of RSA
encryption.

An alternative proposal that seems like it would do the same thing
from a security standpoint would be a way to combine a password key
with pkinit.  You could store a soft certificate on a USB token.

Ultimately, though, I think that the important thing is the user
experience.  I agree with you that providing stronger authentication
when someone provides a USB flash disk with some secret information is
desirable.  I think the specific details of how to do this should be
worked out in the Kerberos working group of the IETF.  I encourage you
to take your proposal there.

--Sam


Mime
View raw message