RE: Something Stronger than a Passphrase? (UNCLASSIFIED)

To: "Daniel Clark" <dclark@pobox.com>, <myproxy-users@ncsa.uiuc.edu>
Subject: RE: Something Stronger than a Passphrase? (UNCLASSIFIED)
From: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>
Date: Wed, 11 Apr 2007 15:48:44 -0400
Content-class: urn:content-classes:message
Content-transfer-encoding: 8bit
Content-type: text/plain; charset="us-ascii"
In-reply-to: <5422d5e60704101331t7a918085me4ea72ceb15eefe7@mail.gmail.com>
References: <A1D78FBB8CE9CC4A9A12DEE15DD8D189EB1989@laccadive.disanet.disa-u.mil> <16809.1176236279@ncsa.uiuc.edu> <5422d5e60704101331t7a918085me4ea72ceb15eefe7@mail.gmail.com>
Sender: owner-myproxy-users@ncsa.uiuc.edu
Thread-index: Acd7sBNip8dAjJk+RQ23bSIzO4A2uQAvzAsg
Thread-topic: Something Stronger than a Passphrase? (UNCLASSIFIED)

Classification:  UNCLASSIFIED 
Caveats: NONE

Thanks Daniel,

I think this is a very good paper. It seems to focus on the MyProxy
server as a CA. But (trying to exercise my newly forming understanding),
I see that it need not be if I have already put a proxy credential on
the MyProxy server. The OTP could be used to get subordinate proxy
credentials for my own use. So relying parties need not know, a priori,
of the existence of this MyProxy server.

But relying parties would seem to have to understand the difference
between CA certs, end entity certs and proxy certs, and understand
whether to check the revocation status of each. 

Does anyone know whether any commercial relying party products
understand, will not reject and will not require the revocation status
of proxy certificates even if they require status of the longer term
certificates in the chain?

PKI folks tend to think only CAs should be able to sign certs. Does
anyone know whether there is any problem with NIST/FIPS-compliance if
proxy certs are accepted by a relying party product or system? (I hope
not. I think we need this.)

Thanks, again

> -----Original Message-----
> From: owner-myproxy-users@ncsa.uiuc.edu 
> [mailto:owner-myproxy-users@ncsa.uiuc.edu] On Behalf Of Daniel Clark
> Sent: Tuesday, April 10, 2007 4:31 PM
> To: myproxy-users@ncsa.uiuc.edu
> Subject: Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
> 
> On 4/10/07, Jim Basney <jbasney@ncsa.uiuc.edu> wrote:
> > Friedrichs, Paul D CTR DISA PEO-IAN 
> <Paul.Friedrichs.ctr@disa.mil> wrote:
> > > I am *very* interested in deploying MyProxy on a large scale,
> >
> > Great!
> >
> > > but I am
> > > concerned about the possibility of a 
> phishing/pharming-like attack 
> > > to capture the passphrase passed from the prospective 
> proxy to what 
> > > it thinks is the MyProxy server during the get process.
> 
> If you haven't run across it yet, this paper is a good read 
> that covers some of these issues, specifically the use of 
> One-Time Passwords (OTP) with MyProxy:
> 
> Simplifying Public Key Credential Management Through Online 
> Certificate Authorities and PAM 
> http://middleware.internet2.edu/pki06/proceedings/chan-pam.pdf
> 
> --
> Daniel Clark # http://dclark.us # http://opensysadmin.com
> 
Classification:  UNCLASSIFIED 
Caveats: NONE

Follow-Ups:
- Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
  - From: Olle Mulmo <mulmo@univa.com>

References:
- Something Stronger than a Passphrase? (UNCLASSIFIED)
  - From: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>
- Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
  - From: Jim Basney <jbasney@ncsa.uiuc.edu>
- Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
  - From: "Daniel Clark" <dclark@pobox.com>

Prev by Date: Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
Next by Date: RE: Something Stronger than a Passphrase? (UNCLASSIFIED)
Previous by thread: Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
Next by thread: Re: Something Stronger than a Passphrase? (UNCLASSIFIED)

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index