[OpenAFS-devel] openafs - proposed cache security improvement

[Sean O'Malley]

On Fri, 30 Mar 2007, Jim Rees wrote:

> The citi implementation of pkinit is in the MIT kerberos source tree, but I
> don't think it has made it in to an official release yet.  It has two
> interfaces for doing its pk work.  One is pkcs11, which can be used to talk
> to a smartcard or other secure hardware (or even software) token.  The other
> simply reads certs and keys out of a file.  It requires a client cert, not
> just a key.

Does this mean UMich is going to start requiring all students to have
iPods like Duke does? :) I think I see where you are going with the Citi
implementation, but more people carry their iPods to class then their
bookbags. And the iPod has a serial number which I think you can access to
verify the integrity of the key which is a lot better then a USB
thumbdrive as far as security goes because you are verifying the device
itself. (not that it isnt impossible to get around but makes it a lot
harder to steal someones attended "keys".) And just judging by the random
comments around campus, more kids want the iPods then they do the
thumbdrives.

If you want to have a lot of fun with it, you could embed the keys and
certs in the UM fight song. :)


--------------------------------------
  Sean O'Malley, Information Technologist
  Michigan State University
-------------------------------------