directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Hutzelman <jh...@cmu.edu>
Subject Re: One Time Identification, a request for comments/testing.
Date Thu, 01 Feb 2007 22:15:56 GMT


On Thursday, February 01, 2007 03:06:21 PM -0600 g.w@hurderos.org wrote:

>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
>
> We were considering public flogging but were unsure if we could get it
> into an IETF draft.

<wg chair hat on>

Anyone can submit an internet-draft; just write up your proposal according 
to <http://www.ietf.org/ietf/1id-guidelines.html> and send it off to 
internet-drafts@ietf.org.

You should then bring up your proposal on the Kerberos Working Group 
mailing list, ietf-krb-wg@anl.gov.  We're beginning to move into the area 
of preauthentication and improving the initial authentication exchange, and 
while I can't guarantee that your proposal will be well-received, it will 
certainly receive the same consideration as a number of others that have 
recently been raised.

<wg chair hat off>


> Security starts with user training and making it unnecessary for them
> to want to do things like that.

In this case, I think that is unrealistic.  The thing users want to avoid 
is "Oh, damn, I have to dig out this stupid USB thing and plug it in before 
I can use my computer, what a pain."  They'll do that by copying the file 
off, especially after the first few instances of "Oh, damn, I have to dig 
out this stupid USB thing and plug it in to use my laptop, and I can't 
because I'm in Europe and the USB thingy is in Pittsburgh".


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA


Mime
View raw message