Re: "too many auth failures"?

To: Nicolas.Williams%oracle.com@localhost, simon%josefsson.org@localhost
Subject: Re: "too many auth failures"?
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Wed, 27 Oct 2010 19:43:18 +1300

Simon Josefsson <simon%josefsson.org@localhost> writes:

>Isn't this another problem?  Often private keys are protected by a password
>or requires a PIN to unlock a smartcard, and iterating to sign with all keys
>becomes a user interface issue quickly.  This is how libssh2 works, and I
>couldn't think of any way to avoid it.

That's been a major issue for S/MIME deployments in the past, as soon as you 
enable message signing/encryption you get bombarded with requests to insert 
smart cards, enter PINs and passwords, and generally end up being a crypto 
bookkeeper for your mail app.  The usual solution is to use S/MIME gateways, 
where the organisational mail gateway holds your key and signs/decrypts on 
your behalf, more or less defeating the point of personal message security 
since now you're just doing a STARTTLS for SMTP-equivalent in a really awkward 
way.

(The lesson there is that the app should do all it can to minimise the load on
the user, otherwise security gets sacrificed in exchange for functionality).

Peter.

Follow-Ups:
- Re: "too many auth failures"?
  - From: Love Hörnquist Åstrand

References:
- Re: "too many auth failures"?
  - From: Simon Josefsson

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index