Re: Problems with most web app auth schemes

[Tim <tim-security () sentinelchicken org>]

> The problem with the public key cryptography system is that it is 
> commercial.  That is, I have to pay money for a personal key.  If 

False.  In no way is it required for you to buy a public key.  If a web
app wants to be reasonably confident in the association between a given
public key and a user, then have that user provide a public key at
sign-up time.  Users can create public keys locally, self-signed, and
never worry about having any 3rd party sign it.

If you are worried about the initial key exchange being attacked, well
then use one of the many types of public key server systems to exchange
initial keys.

Yes, distributed key management systems are harder to maintain, but they
provide a means to verify keys with little cost to both end users and
service providers.

> personal keys came with a computer system, then I believe it would catch 
> on for the client side of things.  Until that happens, forcing a compuer 
> to not only get a personal key, but also pay for it, will not work.  If 

You would propose that computer manufacturers have full access to your
private keys?

> things work without paying the money, why should the client pay the money.
> It is truly ironic that people care about privacy to force sites to have 
> privacy policies and such, yet I have not met any "average joe" who 
> reads them.

Once again, your have been confused by the eCommerce monopoly that
exists wrt site certificates.  It doesn't have to work this way.  Look
at PGP.  You say PGP is commercial?  Use GPG, and one of the free* key
servers out there.

I am not saying all of the tools to implement such systems are out
there, but it is something that I agree people should start looking at.


tim


* as in beer and as in freedom.