alphazo wrote:
Let's say I setup a dedicated server that will only be running ksm (AES key storage). I don't want to run a validation server. Can Yubico validation server be used and linked to this remote KSM so I can access websites using Yubico API?
Hi!
As you may have noticed, the architecture supports this, but we have no ready processes around this and not even any business decisions whether to offer this as a service or not. Some more technology needs to be designed to allow customers to easily let us know which KSM to use for which yubikeys, and also make sure that you own those yubikeys. Potentially a customer can "reserve" yubikey prefix (much like we've reserved the '^vv' prefix for customer uploaded AES keys) and setup a KSM for those keys, and then inform Yubico of this somehow.
If you really need this option, and is prepared to pay at least a share of its development, please contact me at simon at yubico.com to discuss further.
Note that you may want to look into alternatives like OpenID & SAML for more vendor-neutral solutions around delegated authentication. Not a complete replacement, but if we are lucky it solves your needs.
/Simon