WebApp Sec mailing list archives
Re: Problems with most web app auth schemes
From: "George W. Capehart" <gwc () capehassoc com>
Date: Sun, 27 Jul 2003 18:45:49 -0400
On Sunday 27 July 2003 12:59 pm, Tim wrote: <snip>
at sign-up time. Users can create public keys locally, self-signed, and never worry about having any 3rd party sign it.
That is true. *HOWEVER* this misses the point of a PKI, CAs and RAs. TRUST!!!! Exactly what is it in a locally-created, self-signed cert that induced me to have any confidence at all in the validity of the assertion the cert is making? This is why PKIs exist. This is why CPSs exist. This is why CAs and RAs exist. This is why CRLs exist. (Nominally) to provide the recipient of a public key/cert some small measure of reason to believe that the holder of the private key that is the partner of the public key being presented is who they are representing themselves to be. Given the approach you recommend above, I can create a public key with your name in it and become you . . . Matter of fact, I've just created "your" public (PGP) key and will attach it to this message. Problem is, *I* have the private key associated with it . . . :-> /g -- George W. Capehart "With sufficient thrust, pigs fly just fine . . ." -- RFC 1925
Attachment:
Tim.asc
Description:
Current thread:
- Problems with most web app auth schemes Kevin Spett (Jul 26)
- Re: Problems with most web app auth schemes Erik Kangas, PhD (Jul 26)
- Re: Problems with most web app auth schemes Brant Langer Gurganus (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 27)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes George W. Capehart (Jul 28)
- Re: Problems with most web app auth schemes Tim (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- <Possible follow-ups>
- RE: Problems with most web app auth schemes Cowles, Robert D. (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes webappsec (Jul 28)
- RE: Problems with most web app auth schemes Brass, Phil (ISS Atlanta) (Jul 29)