[WEB SECURITY] Improving Authentication on the Internet

Rich Salz rsalz at datapower.com
Thu May 12 12:54:35 EDT 2005

> On the 17th of this month, at the invitation of Comodo, the major CAs 
> and browser vendors (including mozilla.org) are having a meeting in New 
> York to discuss some of the issues surrounding the future of SSL and 
> trust on the Internet.

What, no users?  These private invite-only things are rarely a good 
idea.  Most security and trust folks don't work for a "major" CA or 
browser vendor.

BTW, does anyone know what makes a Comodo high-value (their words) 
different from others?  As in, what cert extensions are there.   What, 
exactly, does their VEngine pick up on?

> http://www.gerv.net/security/improving-authentication/

I read through this.  I have some real problems with your "Privacy, 
Validation, and Authentication" section.  To start, your use of the 
terms validity and authentication aren't standard; you might want to 
look at RFC 2828 for the standard definition of terms.  Do you really 
mean "trust"?  I also don't understand why privacy is necessary for 
(your use of) authentication; why can't you have trusted communications 
in public?

As for "enable revocation," you might also want to look at the W3C's 
XKMS protocol.


Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html

The Web Security Mailing List

More information about the websecurity mailing list