directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Renard <kdren...@wareonearth.com>
Subject Re: One Time Identification, a request for comments/testing.
Date Fri, 02 Feb 2007 14:48:16 GMT
> The identity token is included in an identification payload which  
> is symmetrically encrypted and included in the AS_REQ authorization  
> field.

Any reason why this couldn't be implemented as a preauthentication  
type (especially with the PAL in 1.6)?  Might give you more  
flexibility with respect to multiple exchanges or when a principal  
requires this type of authentication.  This might even fit into the  
SAM(2) preauth type.

Operationally, users might just stick their USB key in and leave it  
there (same as copying to filesystem).  From there, it's just  
filesystem privileges that separate an attacker from the real user.


-Ken Renard



Mime
View raw message