On 1. 2. 2011 17:56, Gervase Markham wrote:
Dear crypto-hackers,
Your thoughts on the following problem would be appreciated.
Goal: fix bug 570252. Provide 2-factor authentication for some
Bugzilla accounts.
https://bugzilla.mozilla.org/show_bug.cgi?id=570252
Sub-goal: do it in a way which doesn't involve purchasing or running
proprietary software.
General musings on these goals welcome. Here also are some specific
questions:
Q1) There is conflicting advice in that bug about whether a client
certificate-based solution can meet the requirement of "implement it
only for some accounts" (with the implicit requirement that it doesn't
bother or affect people who are not using it). Can a client
certificate solution be made to work?
Q2) If not, does anyone know of any commercial 2-factor systems which
can be implemented entirely with open source tools and software? (I'd
accept having to purchase closed hardware tokens.)
Q3) If not, can we do something smart like issue chip cards and
leverage the devices being shipped for the rollout of the Chip
Authentication Program in various countries?
http://en.wikipedia.org/wiki/Pinsentry
Q4) Or, could we do something in-browser or with a phone app, allowing
people to use their mobile phone as the hardware token?
@Q4: I am doing this as my diploma thesis, it works for Windows Mobile
phones/PDAs and is tested with Firefox and Thunderbird. Certificate
login works fine in Firefox.
M. Kurpel
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
