[WEB SECURITY] Improving Authentication on the Internet
Rich Salz
rsalz at datapower.com
Fri May 13 13:52:26 EDT 2005
> However, that's a very long document - and it's arranged to help you
> find out "what does X mean", rather than "what word should I use for
> concept Y". Therefore, could you give me some clue as to the terms you
> think I should be using?
Fair enough. How about:
authentication -- knowing who the other party is
assurance -- determining how much to "trust" them,
or just use trust
> My point was that if you give your credit card number or other financial
> details to Foo Corp., and subsequently get ripped off, they can say
> "well, someone must have sniffed it in transit".
>
> You can't hold people to account for misuse of data unless you know
> exactly who you told and who you didn't.
Okay, that makes sense. But not all communications are private. For
example, official government documents might be posted on the Internet
with a digital signature, but not encrypted. I got the impression you
had privacy as an "always" prerequisite.
Also, if you post information in the clear it's not the receiving
party's fault, which is what I thought your paper was saying. There's a
difference in "blame" between the two paragraphs of yours I quoted above.
> I've just had a quick glance. Are you suggesting that an XKMS-based
> system could or should replace OCSP?
Could, and hopefully will. Too soon to tell.
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
More information about the websecurity
mailing list