Questions about Login tokens
Remote login to networked services is often done with unsafe passwords and uncomfortable account names. Login tokens replace this system with a highly secure alternative, that makes login hardly noticable to the end user.
What browsers support Login tokens?
At least IE5 on Windows, Mozilla, Netscape and Opera are capable of working with Login tokens.
The Un*x browsers Konqueror, Galeon and w3m are not.
IE for Macintosh lacks client certificate support, and so does Safari.
Textual browsers links and lynx also lack understanding of client certificates.
Check this browser
What is an anonymous identity?
Login tokens carry a name
Anonymous User 12345 in which the number varies. This is your anonymous identity, and you can safely tell it to anyone. It does not reveal who you are, or what your hobbies and desires are. In addition, accepting sites are prohibited from sharing behaviour of the holders of an anonymous identity. Refer to the policy for details.
Can one individual own multiple anonymous identities?
Yes, why not? It only aids in protecting their privacy. Different anonymous identities are treated as if they were owned by different individuals.
Are the anonymous identities on all Login tokens different?
A new request for a Login token always leads to a unique and new number in the anonymous identity. Only if a user renews a Login token (and proves ownership of the token being renewed to OpenFortress) will OpenFortress generate another client certificate with the same anonymous identity.
Site owners can safely treat the renewed Login token as an equivalent of the old one, because the same number indicates that the Login token belongs to the same person. This assumption is not safe with certificates that only mention human names and locations, but it is safe for Login tokens.
Can I renew a Login token early?
Yes, that is very smart! It gives you two independent ways of proving your anonymous identity, especially if stored in different places. If you somehow loose access to one Login token, you can still use the other to do what you normally do with it.
What about expiration of Login tokens?
Login tokens expire after one year because the embedded keys are not secure for a very long time, in part because they have the potential of being used a lot. To keep maliceous others totally uninterested in cracking your keys, we set them to expire after a year.
An attempt to login with an expired Login token will normally be rejected. At that time, the owner of a Login token can proceed to OpenFortress, which accepts the Login token for one additional month. This grace period is meant to allow for renewal of an expired Login token.
Can I move a Login token to another browser?
Yes, you can move a Login token (and its coupled private key) to another browser using the standard
PKCS #12 file format or any other format understood by both browsers. Your browser may refer to this as import/export or as backup/restore.
Place a long and hard one-time password on the file that you will be moving, try to transmit it over a secured channel, and securely wipe the file from disk after the transfer is complete.
Can I use a Login token with a smart card?
Yes, because Login tokens are standard client certificates as far as your local software is concerned. If your browser supports a smart card reader, you may use it to generate and store a Login token. Read the manuals that come with your browser and with your smart card reader for details.