[WEB SECURITY] Improving Authentication on the Internet

Rich Salz rsalz at datapower.com
Thu May 12 12:54:35 EDT 2005


> On the 17th of this month, at the invitation of Comodo, the major CAs 
> and browser vendors (including mozilla.org) are having a meeting in New 
> York to discuss some of the issues surrounding the future of SSL and 
> trust on the Internet.

What, no users?  These private invite-only things are rarely a good 
idea.  Most security and trust folks don't work for a "major" CA or 
browser vendor.

BTW, does anyone know what makes a Comodo high-value (their words) 
different from others?  As in, what cert extensions are there.   What, 
exactly, does their VEngine pick up on?

> http://www.gerv.net/security/improving-authentication/

I read through this.  I have some real problems with your "Privacy, 
Validation, and Authentication" section.  To start, your use of the 
terms validity and authentication aren't standard; you might want to 
look at RFC 2828 for the standard definition of terms.  Do you really 
mean "trust"?  I also don't understand why privacy is necessary for 
(your use of) authentication; why can't you have trusted communications 
in public?

As for "enable revocation," you might also want to look at the W3C's 
XKMS protocol.

	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list