Got into yet another conversation with Dan and Steve about being able to log in while offline, and I think I convinced them that naively caching whatever the user types in respones to a prompt while online, and then repeating the prompt and comparing the answer to the cached value when offline, generally doesn't work.

Why? Well for one, one-time passwords: if you cache the response, you've taken the one-time property out. For another, smart cards: if you let the user in with just the PIN (and remember, at this level you don't even know that smart cards are being used), you've just removed one factor from the two-factor authentication system.

What we hit on for Kerberos is a helper which transforms the password (not using the usual string-to-key -- storing a keytab with your keys on every system you ever type a password into would be... horrific) and stores the result as a "key" in a local keytab file if the KDC says that that's good enough. (Using the keytab manipulation facilities from libkrb5 saves us from having to implement our own file format.)

At the Kerberos level, you can have some idea if the user-response you're examining is a password or not, and whether the KDC is reachable or not, so it's tougher to do stupid things. The helper can always attempt to contact the KDC, parse the error code which is returned by libkrb5, recuse itself if a password proves insufficient, check the cache if the KDC is unreachable, and update or clear the cache entry if the KDC was able to return a response.

Anyway, that's the idea. Maybe I'll have time to code it up before the test 2 freeze.

The connection between Boston and San Jose went through Las Vegas. I've never seen such a well-behaved and laid-back planeload of passengers. And I've never seen so many people drinking cocktails before 9AM. Maybe those are related somehow.

Wow, it's been a while since I made any notes here. I guess I've been busy. Or just lazy. Some of both, more likely.

Continued working on the PKINIT plugin. It's weird, but I'm looking forward to doing some testing at this year's Connectathon. I find it somewhat unsettling that more people not only haven't heard of it, but continue to think I'm making the whole thing up, but hey, I'm a nerd.

I missed out on National Gorilla Suit Day again. Some people toast with "Next year, in Jerusalem." I think I'm going to start toasting with "Next year, in a gorilla suit."

And of course, FUDCon was this weekend. It was, as expected, muy awesome.

Dan suckered me into helping at the SSO (single sign-on) BOF (birds of a feather session) by at first asking for help making sure the right packages were installed on his freshly-reinstalled laptop, and then by making me find that my PKINIT plugin didn't actually build correctly against MIT Kerberos 1.6. Oops. So as I feverishly tried to make it build right on his laptop, first using a recent tarball, then using a fresh CVS checkout, we whiled away the better part of an hour. On the bright side, except for making sure the client trusted the server, and making the plugin acceptable to libkrb5, it sort of Just Worked, which after all was the whole point. Maybe I managed to share the Vision of storing stuff in a directory and having various protocol servers use it as a data store, maybe I didn't, but that's my goal anyway.

I caught hell when I got back from the BOF, though, because I'd volunteered to staff the Welcome desk during that hour. From this I learned, again, that YOU DO NOT WANT TO LET ROBIN DOWN. (Once you've destroyed a house with someone, you just don't do that.) I spent the rest of the day staffing the desk, which I find inexplicably enjoyable (maybe I'm flashing back to the permasmile I developed while working the Drive-Thru), and attempting to direct people to the important goings-on. To a certain extent, you get to feel that you know what's going on in all of the sessions, and the company is quite enjoyable. I even managed to get some work done.

Several people have already made notes about FUDpub, the informal gathering which invariably takes place after FUDCon at one of the local, erm, gathering places. For the third time, the locale was woefully underprepared to handle the mass of nerds, descending upon them, as we are wont to do, like a cloud of locusts. I was not impressed. I'm thinking that maybe we should choose a different destination for next year.

Oh yeah, Happy (belated) Birthday, Ryan!