[WEB SECURITY] Improving Authentication on the Internet
nowen at wikidsystems.com
Fri May 20 12:52:55 EDT 2005
Mitja Kolsek wrote:
>>I'm not disagreeing with your analysis, but wouldn't your
>>method invalidate the need for the local root cert? If
>>you're going to trust Verisign to affirm the authenticity of
>>the local root cert, then you're back to the same place you
>>were before you created your own - trusting the existing root certs.
> True, but the issue of trusting the default root certs, while an issue
> indeed, is in my opinion a bit less severe than installing a new
> un-trustable root cert. I find the latter easier to spoof than the default
> root certs (which requires tricking the user into installing a rogue
> browser, providing also other simpler attack options once the user would run
> attacker's code on his computer). Besides, installing new root certs is
> something we don't want to become too common a practice: each of them can
> issue server certificates for any web server, so to use the "weakest link"
> concept here, we can only trust the SSL-provided server authentication as
> much as we can trust the least trusted root cert in our store. While people
> like us can manually check each server cert to see who issued it (but does
> anyone, really?), most people won't.
> I guess this maps nicely to Gervase's paper, only not in the area of
> trusting server certs, but installing additional root certs: how secure is
> the process of their installation, and what's the level of trust users
> should put in them (and on what basis).
I was recently pointed to this Firefox plug in while discussing the need
for CAs on another list. We were discussing trust models that don't
require a root CA to validate the identity of the company running the
web server, but that are still cryptographically secure.
The toolbar allows you to enter a 'petname' for the SSL certified site.
If the cert changes, the pet name changes to 'untrusted' - the default
for any unknown cert.
WiKID Systems, Inc.
At last, two-factor authentication, without the hassle factor
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity