WebApp Sec mailing list archives

Re: Problems with most web app auth schemes

From: Ingo Struck <ingo () ingostruck de>
Date: Sun, 27 Jul 2003 20:30:34 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Brant,

The problem with the public key cryptography system is that it is
commercial.  That is, I have to pay money for a personal key.  If
personal keys came with a computer system, then I believe it would catch
on for the client side of things.  Until that happens, forcing a compuer
to not only get a personal key, but also pay for it, will not work.  If
things work without paying the money, why should the client pay the money.

I would like to contradict to that.
There are some "non-monetary" approaches for public key systems,
that clearly provide an even better "trust" than that of commercial solutions
(e.g. something like thawte's Web Of Trust or multiple signed PGP keys).
The "public key cryptography system" is definitely *not* inherently
commercial. The question how "trust" can be established is not connected
to any technical solution or to cryptography, but rather sociological.
(That means that I personally would trust a key signed by 20 acquainted people 
more than a "buyed" one authorized by some obscure commercial institution and 
I am *very* sure that I am not alone with this attitude).

- From a cryptographic (and thus "technical") point of view, the public key
system currently is superior to any other known solution. That's the reason
why it *should* be chosen to implement the "technical" backbone to base
personal "trust"-relationships on. The fact that some few forsighted companies 
exploit the general lack of "trust" within the context of the web, is clearly 
not an argument against using an unsurpassed methodology for authentication.

Kind regards

Ingo Struck

- -- 
ingo () ingostruck de
Use PGP: http://ingostruck.de/ingostruck.gpg with fingerprint
C700 9951 E759 1594 0807  5BBF 8508 AF92 19AA 3D24
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE/JChnhQivkhmqPSQRAg9+AKDdOCRT5Uyu9QBuv2NbKpJenOsUhACeIZN8
CtE1eloRS+iLeQIlvow97tI=
=n5n6
-----END PGP SIGNATURE-----

Current thread:

Problems with most web app auth schemes Kevin Spett (Jul 26)
- Re: Problems with most web app auth schemes Erik Kangas, PhD (Jul 26)
- Re: Problems with most web app auth schemes Brant Langer Gurganus (Jul 27)
  - Re: Problems with most web app auth schemes Tim (Jul 27)
    - Re: Problems with most web app auth schemes George W. Capehart (Jul 27)
    - Re: Problems with most web app auth schemes Tim (Jul 27)
    - Re: Problems with most web app auth schemes George W. Capehart (Jul 28)
  - Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- <Possible follow-ups>
- RE: Problems with most web app auth schemes Cowles, Robert D. (Jul 27)
  - Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes webappsec (Jul 28)
- RE: Problems with most web app auth schemes Brass, Phil (ISS Atlanta) (Jul 29)