zben@CAMELOT.UMD.EDU (Ben Cranston) (04/30/89)
If you have strong feelings about one or both of these questions, please send me <zben@umd2.umd.edu> mail. I will summarize for the net. Question one deals with the vulnerability of unattended consoles. It has been suggested that ticket propagation require an additional password entry, to forestall an intruder propagating tickets unbeknownst to the real user. It has also been suggested that password entry be minimized since each time a password is entered is another security exposure. The schemes we are looking at propose the propagation of a TGS ticket, with which the remote software can silently obtain all the additional service tickets it might ever need. Therefore, we need only ask for password once, when the TGS ticket at the remote host is being obtained. For the purposes of the question, the password entry is only needed once. 1. Do you feel strongly that users should be FORCED to type their passwords again in order to extend their capabilities to a new seat-of-action? Do you feel strongly that users should NEVER have to type their passwords again, even to extend their capabilities to a new seat-of-action? Question two deals with servers like our proposed encryption key server and digital signature server in which the sealed objects will in general live for much longer than one work session. We assume that a real-world service will change its private key periodically (if not, one stolen key puts at risk EVERYTHING THE SERVER HAS EVER DONE). This implies the storage of all key values ever used, or else a limited lifetime for the fruits of the service. 2. Do you feel that it is an unreasonable burden for a server to be required to maintain a permanent history of every private key value ever used?