WebApp Sec mailing list archives
Re: Problems with most web app auth schemes
From: Tim <tim-security () sentinelchicken org>
Date: Sun, 27 Jul 2003 09:59:18 -0700
The problem with the public key cryptography system is that it is commercial. That is, I have to pay money for a personal key. If
False. In no way is it required for you to buy a public key. If a web app wants to be reasonably confident in the association between a given public key and a user, then have that user provide a public key at sign-up time. Users can create public keys locally, self-signed, and never worry about having any 3rd party sign it. If you are worried about the initial key exchange being attacked, well then use one of the many types of public key server systems to exchange initial keys. Yes, distributed key management systems are harder to maintain, but they provide a means to verify keys with little cost to both end users and service providers.
personal keys came with a computer system, then I believe it would catch on for the client side of things. Until that happens, forcing a compuer to not only get a personal key, but also pay for it, will not work. If
You would propose that computer manufacturers have full access to your private keys?
things work without paying the money, why should the client pay the money. It is truly ironic that people care about privacy to force sites to have privacy policies and such, yet I have not met any "average joe" who reads them.
Once again, your have been confused by the eCommerce monopoly that exists wrt site certificates. It doesn't have to work this way. Look at PGP. You say PGP is commercial? Use GPG, and one of the free* key servers out there. I am not saying all of the tools to implement such systems are out there, but it is something that I agree people should start looking at. tim * as in beer and as in freedom.
Current thread:
- Problems with most web app auth schemes Kevin Spett (Jul 26)
- Re: Problems with most web app auth schemes Erik Kangas, PhD (Jul 26)
- Re: Problems with most web app auth schemes Brant Langer Gurganus (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 28)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- <Possible follow-ups>
- RE: Problems with most web app auth schemes Cowles, Robert D. (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes webappsec (Jul 28)
- RE: Problems with most web app auth schemes Brass, Phil (ISS Atlanta) (Jul 29)