directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Hutzelman <>
Subject Re: One Time Identification, a request for comments/testing.
Date Thu, 01 Feb 2007 22:15:56 GMT

On Thursday, February 01, 2007 03:06:21 PM -0600 wrote:

>> What keeps a user from copying the identity token from the USB
>> device to a local or shared file system to avoid having to insert
>> the USB device all the time?
> We were considering public flogging but were unsure if we could get it
> into an IETF draft.

<wg chair hat on>

Anyone can submit an internet-draft; just write up your proposal according 
to <> and send it off to

You should then bring up your proposal on the Kerberos Working Group 
mailing list,  We're beginning to move into the area 
of preauthentication and improving the initial authentication exchange, and 
while I can't guarantee that your proposal will be well-received, it will 
certainly receive the same consideration as a number of others that have 
recently been raised.

<wg chair hat off>

> Security starts with user training and making it unnecessary for them
> to want to do things like that.

In this case, I think that is unrealistic.  The thing users want to avoid 
is "Oh, damn, I have to dig out this stupid USB thing and plug it in before 
I can use my computer, what a pain."  They'll do that by copying the file 
off, especially after the first few instances of "Oh, damn, I have to dig 
out this stupid USB thing and plug it in to use my laptop, and I can't 
because I'm in Europe and the USB thingy is in Pittsburgh".

-- Jeffrey T. Hutzelman (N3NHS) <>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

View raw message