WebApp Sec mailing list archives
Re: Problems with most web app auth schemes
From: Ingo Struck <ingo () ingostruck de>
Date: Sun, 27 Jul 2003 20:30:34 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Brant,
The problem with the public key cryptography system is that it is commercial. That is, I have to pay money for a personal key. If personal keys came with a computer system, then I believe it would catch on for the client side of things. Until that happens, forcing a compuer to not only get a personal key, but also pay for it, will not work. If things work without paying the money, why should the client pay the money.
I would like to contradict to that. There are some "non-monetary" approaches for public key systems, that clearly provide an even better "trust" than that of commercial solutions (e.g. something like thawte's Web Of Trust or multiple signed PGP keys). The "public key cryptography system" is definitely *not* inherently commercial. The question how "trust" can be established is not connected to any technical solution or to cryptography, but rather sociological. (That means that I personally would trust a key signed by 20 acquainted people more than a "buyed" one authorized by some obscure commercial institution and I am *very* sure that I am not alone with this attitude). - From a cryptographic (and thus "technical") point of view, the public key system currently is superior to any other known solution. That's the reason why it *should* be chosen to implement the "technical" backbone to base personal "trust"-relationships on. The fact that some few forsighted companies exploit the general lack of "trust" within the context of the web, is clearly not an argument against using an unsurpassed methodology for authentication. Kind regards Ingo Struck - -- ingo () ingostruck de Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint C700 9951 E759 1594 0807 5BBF 8508 AF92 19AA 3D24 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE/JChnhQivkhmqPSQRAg9+AKDdOCRT5Uyu9QBuv2NbKpJenOsUhACeIZN8 CtE1eloRS+iLeQIlvow97tI= =n5n6 -----END PGP SIGNATURE-----
Current thread:
- Problems with most web app auth schemes Kevin Spett (Jul 26)
- Re: Problems with most web app auth schemes Erik Kangas, PhD (Jul 26)
- Re: Problems with most web app auth schemes Brant Langer Gurganus (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 28)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- <Possible follow-ups>
- RE: Problems with most web app auth schemes Cowles, Robert D. (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes webappsec (Jul 28)
- RE: Problems with most web app auth schemes Brass, Phil (ISS Atlanta) (Jul 29)