miller@ERLANG.ENET.DEC.COM (Steve Miller 26-Dec-1989 1246) (12/27/89)
From: LYRE::"MAILER-DAEMON" "Mail Delivery Subsystem" 24-DEC-1989 17:13:34.27 To: spm CC: Subj: Returned mail: Cannot send message for 3 days ----- Transcript of session follows ----- 421 decwrl.dec.com.tcp... Deferred: Host is unreachable ----- Unsent message follows ----- Received: by lyre.nac.dec.com (5.57/Ultrix2.4-C) id AA00681; Thu, 21 Dec 89 16:17:59 EST Date: Thu, 21 Dec 89 16:17:59 EST From: spm (Steven Miller) To: decwrl::kerberos@athena.mit.edu Subject: Re: Authentication vulnerabilities Cc: spm Recent messages from Hugh Lauer and Michael Salzman discussed the administrative vulnerabilities of various authentication systems. In any of these systems, be it Kerberos, X.509, or others, there is a trust in the administrative components (such as the Kerberos realm administrator). All that the protocols can hope to achieve is to explicity identify which set of components are involved in a particular authentication operation. This then gives the principals the opportunity to enforce any policy they choose with respect to those administrative units. For example, not granting write access to certain Kerberos realms based on not trusting the carefulness of that realm's administration. Kerberos V4 provides a limited form of such information, for a 1-hop realm traversal, and V5 will provide the entire path of administrative units (realms) involved in the operation. So an apprehensive principal can setup their authorization to take the administrative trust into account. The task of determining trust in an administrative unit is way beyond the scope of computer communications. There may be applicable precedents in other organizations such as banking or the military to deal with these administrative issues. Steve p.s. Tools such as smart cards with PINs are better, but still imperfect since they may be intentionally shared or shared under duress -- e.g. people have been mugged and forced to obtain money from their cash machines.
jmc@PacBell.COM (Jerry Carlin) (12/27/89)
In article <8912261743.AA02542@decwrl.dec.com> miller@ERLANG.ENET.DEC.COM (Steve Miller) writes: >p.s. Tools such as smart cards with PINs are better, but still imperfect >since they may be intentionally shared or shared under duress -- e.g. >people have been mugged and forced to obtain money from their cash machines. At least one smart card system that I know has a 'duress' PIN that is to be used specifically in duress situations so that the system can take action under those circumstances. -- Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc To dream the impossible dream. To fight the unbeatable foe.