Any questions?

http://www.citi.umich.edu/

Previous slide Back to first slide View graphic version

Notes:

RL “Bob” Morgan, UW: In the demo, you generated a public/private key pair -- it seemed really fast.

Peter -- OpenSSL 512-bit key pair generation on P233 is fast.

Bob: The browser expects to protect private keys with a password. Is there really no reason to do that in this case?

Peter: That’s our view -- we’re trying to get rid of passwords.

Bob: Is there still some UI there when private keys are accessed and used? Do you get asked for a password or have to supply zero-length password?

Bill Doster, UM: With IE, if a site wants to authenticate you, you get a dialog asking which certificate to use (even if you only have one cert). However, Navigator doesn’t do this. And if there’s no password, you’re not asked for one.

Russ Allbery@SU: How do you log out? In a cluster environment, things get tricky ...

Bill: It’s the same sort of problem we have with Kerberos Tickets. NT gives you control at logout, so you can do this; it’s harder with Win9x. CAPI has an interface for deleting certs.

Naomaru Itoi@UM: Is it possible to use two keys for authentication and encryption?

Peter: We’re really not trying to do digital signatures or public key encryption, just short-term authentication for access control.

Mark Poepping@CMU: When people are using real keys in conjunction with junk keys, how do you avoid bad interoperations?

Peter: I don’t believe that people will be using real keys -- the vendors are hung up on mathematically model social processes; it will never happen. All this PK stuff is bullshit, IMHO, but it is The Way for web space access control; we’re stuck with it.

Russ: We use cookies to bootstrap Kerberos authentication. I don’t know if you can give cookies to a browser from an external app ...

Peter: How does it work?

Russ: When you connect to a web page, the server does an S/Ident callback, makes a cookie and feeds it back.

Peter: What is S/Ident?

Russ: S/Ident is basically the same as Sidecar -- our Kerberos infrastructure spawns a background process on the client that listens on the ident port. If S/Ident is not installed, we fall back to a secondary server that does stuff by SSL. This is ugly, but you can’t assume everyone has necessary client-side software.

Peter: Note that in the space of {Netscape, IE} X {Windows, Mac}, we only have one box checked.

Bob: You need a module on the server and client for this to be “clean.” You have to hack htaccess into server;

Russ: … And once you’ve done that, you can do anything

Laurie Collinsworth@CU: At Cornell, we use our permit server. A module on the web server does a callback to Sidecar, which then calls permit server.

Mark: How many identities (and thus requirements for authentication) do you think people will have?

Peter: My opinion: one per enterprise

Mark: So how many times will you have to authenticate?

Peter: Most of my work is within UMich realm (so a small handful). Observe how industry has gone on this -- every e-commerce outfit forces you to authenticate privately. (Insert cockroach metaphor here.)

Russ: You really want an interface where a remote site can send a cert to your browser that you can reuse.