Re: roaming credentials (sacred)

[Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>]

Hi Pierre,

>         Why not looking at PKCS#15 Soft Token there. This will be a good
> container for one or more credentials, and it has the ability to tell what
> is inside the container.

I'd agree that p#15 should be one of the formats we consider.

>         Question if a user has access to many PKCS#15, how to we decide
> which one to use ?

That's something we need to figure out when/if we get to protocol
design.

>         Question PKCS#15 and (in most case PKCS#12) are protected by a
> password. Is that good enough ? 

Nope. If we can't do better than a weak password, then we'd just
be making security worse by leaving credentials lying around 
vulnerable to dictionary attacks (which'd hardly constitute a 
successful security protocol:-).

> Should we use a type of one time password,
> can we make provision to get those passwords derived from some physical
> hardware (a chip serial number, a biometrics template,...) ?

Worked out suggestions are welcome. I do agree that it'd be nice
to allow cases where there is h/w on the client, but I don't think
we can mandate this (or if we do, no-one will do it!).

Stephen.


-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane,                    fax: +353 1 647 7499
Dublin 2.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com