2008-08-07 16:48:36 |
Dustin Kirkland |
bug |
|
|
added bug |
2008-08-07 16:48:50 |
Dustin Kirkland |
ecryptfs-utils: importance |
Undecided |
Wishlist |
|
2009-02-20 23:40:15 |
Dustin Kirkland |
ecryptfs-utils: status |
New |
Won't Fix |
|
2009-02-20 23:40:15 |
Dustin Kirkland |
ecryptfs-utils: statusexplanation |
|
Hi, thanks so much for the bug report.
I've been thinking about this quite a bit lately. I'm going to have to mark this "won't fix" for now.
The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords.
Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-)
This wikipedia entry (although it's about Microsoft Fingerprint Readers) is pretty accurate:
* http://en.wikipedia.org/wiki/Microsoft_Fingerprint_Reader
So, I'm sorry, but I don't think we'll be fixing this for now.
:-Dustin |
|
2009-03-05 00:07:39 |
Jamie Strandboge |
ecryptfs-utils: status |
Won't Fix |
Confirmed |
|
2009-03-05 00:07:39 |
Jamie Strandboge |
ecryptfs-utils: statusexplanation |
Hi, thanks so much for the bug report.
I've been thinking about this quite a bit lately. I'm going to have to mark this "won't fix" for now.
The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords.
Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-)
This wikipedia entry (although it's about Microsoft Fingerprint Readers) is pretty accurate:
* http://en.wikipedia.org/wiki/Microsoft_Fingerprint_Reader
So, I'm sorry, but I don't think we'll be fixing this for now.
:-Dustin |
I am not personally a fan of fingerprint readers on their own because often they can be subverted (see Dustin's comment) and because I generally don't like amputation-ware (I like all my parts where they are now, thanks). That said, someone else may have a really good reader and want to use it, and I'd have to agree with Roger that just because I, Dustin and other security professionals don't find them useful for passwords, that doesn't mean they shouldn't be supported, if those interested want to put in the work.
Combining a fingerprint reader with other authentication mechanisms can make things more secure. Eg, the fingerprint (something that uniquely identifies you), with a password (something you know) and a smart card/usbkey (something you have) would offer quite strong protection (not to mention rather severe usability issues). In this scenario an attacker needs to obtain three different tokens, which is likely more difficult than two and certainly more than just one. |
|
2009-03-05 06:02:24 |
Dustin Kirkland |
ecryptfs-utils: status |
Confirmed |
Triaged |
|
2009-03-05 06:02:24 |
Dustin Kirkland |
ecryptfs-utils: statusexplanation |
I am not personally a fan of fingerprint readers on their own because often they can be subverted (see Dustin's comment) and because I generally don't like amputation-ware (I like all my parts where they are now, thanks). That said, someone else may have a really good reader and want to use it, and I'd have to agree with Roger that just because I, Dustin and other security professionals don't find them useful for passwords, that doesn't mean they shouldn't be supported, if those interested want to put in the work.
Combining a fingerprint reader with other authentication mechanisms can make things more secure. Eg, the fingerprint (something that uniquely identifies you), with a password (something you know) and a smart card/usbkey (something you have) would offer quite strong protection (not to mention rather severe usability issues). In this scenario an attacker needs to obtain three different tokens, which is likely more difficult than two and certainly more than just one. |
Thanks to all for the latest feedback.
At this point, I'm marking this bug 'Triaged', which should be a marked upgrade from 'Won't fix' ;-)
For the reasons that I've previously mentioned (I don't have a fingerprint reader, and wouldn't use one even if I did), I personally won't be implementing this.
However, as my cohort Tyler says, if someone comes forward with a good, working, tested patch, I would certainly merge support into the eCryptfs upstream codebase. It should be quite possible to implement, as a generic PKCS-11 token within the existing eCryptfs key module framework.
:-Dustin |
|
2009-04-24 14:55:44 |
Dustin Kirkland |
bug task added |
|
ecryptfs |
|
2009-04-24 14:57:02 |
Dustin Kirkland |
ecryptfs: importance |
Undecided |
Wishlist |
|
2009-04-24 14:57:02 |
Dustin Kirkland |
ecryptfs: status |
New |
Triaged |
|
2009-04-30 22:11:37 |
Dustin Kirkland |
ecryptfs: status |
Triaged |
Confirmed |
|
2009-04-30 22:11:48 |
Dustin Kirkland |
ecryptfs-utils (Ubuntu): status |
Triaged |
Confirmed |
|
2010-10-14 08:32:24 |
Oded Ben Ozer |
bug |
|
|
added subscriber Oded Ben Ozer |
2010-12-06 10:18:58 |
Aleksei Gusev |
bug |
|
|
added subscriber Slava Kravchenko |
2011-09-05 10:07:51 |
Gregor Giesen |
bug |
|
|
added subscriber Gregor Giesen |
2012-09-07 01:18:53 |
TJ |
bug |
|
|
added subscriber TJ |
2012-09-08 12:06:37 |
Geek87 |
bug |
|
|
added subscriber Geek87 |
2015-03-13 23:13:00 |
Dustin Kirkland |
ecryptfs: status |
Confirmed |
Won't Fix |
|
2015-03-13 23:13:02 |
Dustin Kirkland |
ecryptfs-utils (Ubuntu): status |
Confirmed |
Won't Fix |
|