[WEB SECURITY] Improving Authentication on the Internet
Rich Salz
rsalz at datapower.com
Thu May 12 12:54:35 EDT 2005
> On the 17th of this month, at the invitation of Comodo, the major CAs
> and browser vendors (including mozilla.org) are having a meeting in New
> York to discuss some of the issues surrounding the future of SSL and
> trust on the Internet.
What, no users? These private invite-only things are rarely a good
idea. Most security and trust folks don't work for a "major" CA or
browser vendor.
BTW, does anyone know what makes a Comodo high-value (their words)
different from others? As in, what cert extensions are there. What,
exactly, does their VEngine pick up on?
> http://www.gerv.net/security/improving-authentication/
I read through this. I have some real problems with your "Privacy,
Validation, and Authentication" section. To start, your use of the
terms validity and authentication aren't standard; you might want to
look at RFC 2828 for the standard definition of terms. Do you really
mean "trust"? I also don't understand why privacy is necessary for
(your use of) authentication; why can't you have trusted communications
in public?
As for "enable revocation," you might also want to look at the W3C's
XKMS protocol.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
More information about the websecurity
mailing list