[WEB SECURITY] Improving Authentication on the Internet

Rich Salz rsalz at datapower.com
Fri May 13 13:52:26 EDT 2005


> However, that's a very long document - and it's arranged to help you 
> find out "what does X mean", rather than "what word should I use for 
> concept Y". Therefore, could you give me some clue as to the terms you 
> think I should be using?

Fair enough.  How about:
	authentication -- knowing who the other party is
	assurance -- determining how much to "trust" them,
		or just use trust

> My point was that if you give your credit card number or other financial 
> details to Foo Corp., and subsequently get ripped off, they can say 
> "well, someone must have sniffed it in transit".
> 
> You can't hold people to account for misuse of data unless you know 
> exactly who you told and who you didn't.

Okay, that makes sense.  But not all communications are private.  For 
example, official government documents might be posted on the Internet 
with a digital signature, but not encrypted.  I got the impression you 
had privacy as an "always" prerequisite.

Also, if you post information in the clear it's not the receiving 
party's fault, which is what I thought your paper was saying.  There's a 
difference in "blame" between the two paragraphs of yours I quoted above.

> I've just had a quick glance. Are you suggesting that an XKMS-based 
> system could or should replace OCSP?

Could, and hopefully will.  Too soon to tell.

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list