Dear Simon, > I've been thinking about PSKC and trying to figure out what it would > mean to support it in OATH Toolkit. I can imagine the following:
Thanks for looking at it. > * Library functions to read and parse PSKC files and iterate through the > data and extract the fields. > > * Tool to parse PSKC files and print the content in a human friendly > way. > > * Tool to protect encrypt/decrypt PSKC files, according to section 6 in > RFC 6030. There are several ways here, and it isn't clear what would > be best to do. > > What functionality is interesting? IMHO PSKC is useful for key provisioning (2nd option). A small tool in the tradition of Unix would be nice to compute a PSKC file a display/manipulate a seed. Then we can use a simple batch script to manipulate /etc/users.oath. Of course, another approach would be that /etc/users.oath references the PSKC file. It would allow to store the seed securely on server. But ... IMHO most vendors are using Radius protocol to store seeds securely. So modifying /etc/users.oath may be a lot of work when FreeRadius is able to do the work in conjunction with LDAP. A customer recently explained that he was using FreeRadius with a custom python script to manage OATH authentication. But I believe this is a custom work and is not available to the public. oathtool could do the trick also and I am trying to understand how to use it with FreeRadius. For all these reasons, I believe a small utility would do the trick for provisioning. This can be a first approach. The ultimate solution would be an ePass2003 token on server, with Freeradius and LDAP. The ePass2003 can be found here: http://www.gooze.eu/epass-2003 On FreeRadius startup, the user would need to enter a PIN code to unlock the seed encryption key in memory. This would really enhance the security. So the roadmap could be: 1) Provide a small PSKC utility. 2) Work on a FreeRadius HOWTO with customs scripts to integrate OATHtoolkit with FreeRadius, with little glue as possible. 3) Work on a more advanced version secured by a crypto stick like the ePass2003. But I believe that even that can be managed by a custom script in the Unix tradition. Kind regards, Jean-Michel POURE -- GOOZE - http://www.gooze.eu High quality cryptographic tools for GNU/Linux, Mac OS X and Windows including the FEITIAN PKI card POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90 Registry: FR 527 672 448 00018 - VAT: FR54527672448 ID PGP/GPG: 084F2584
smime.p7s
Description: S/MIME cryptographic signature
