[WEB SECURITY] Improving Authentication on the Internet

Gervase Markham gerv at gerv.net
Thu May 12 16:51:20 EDT 2005


Rich Salz wrote:
> What, no users?  These private invite-only things are rarely a good 
> idea.  Most security and trust folks don't work for a "major" CA or 
> browser vendor.

I believe that the idea is that this will turn into a working group of a 
standards body, which should allow wider participation.

>> http://www.gerv.net/security/improving-authentication/
> 
> I read through this.  I have some real problems with your "Privacy, 
> Validation, and Authentication" section.  To start, your use of the 
> terms validity and authentication aren't standard; you might want to 
> look at RFC 2828 for the standard definition of terms.  

I was concerned about my use of terms, and have already changed them at 
least once in response to feedback.

However, that's a very long document - and it's arranged to help you 
find out "what does X mean", rather than "what word should I use for 
concept Y". Therefore, could you give me some clue as to the terms you 
think I should be using?

> Do you really mean "trust"?  

Where? :-)

> I also don't understand why privacy is necessary for 
> (your use of) authentication; why can't you have trusted communications 
> in public?

My point was that if you give your credit card number or other financial 
details to Foo Corp., and subsequently get ripped off, they can say 
"well, someone must have sniffed it in transit".

You can't hold people to account for misuse of data unless you know 
exactly who you told and who you didn't.

> As for "enable revocation," you might also want to look at the W3C's 
> XKMS protocol.

I've just had a quick glance. Are you suggesting that an XKMS-based 
system could or should replace OCSP?

Gerv

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list