Re: Problems with most web app auth schemes

> That is true. *HOWEVER* this misses the point of a PKI, CAs and RAs.

Of course. This is obvious.

The thing is, the vast majority of web applications do no authentication upon signup. None at all. You set up a yahoo account, do they care if you are really John Q. Doe? No. But once you do have an account, and you start *using* that account, and people begin to implicitly think that the email address you use is actually you, whether you ever state your name or not. That is how humans are. Currently though, systems are pretty easy to attack even after the account is set up.

So, the point is, you could sign up for a yahoo account with a private key, associate it with your new yahoo email address, and there we have it. A good authentication system based upon the initial signup. (and only as good as the initial setup)

You do bring up a good point, that is, another poster in this discussion stated "Authentication is easy". This is totally bogus. The most difficult part of any of this is identifying who you are talking to upon first contact. This is why your CAs will do so much (probably not enough) checking on your identity when you buy a cert. So yeah, this is a really hard problem.

But, this isn't the problem most people want to solve. And there is no reason why people shouldn't have the option to use a public key system for website authentication. It just makes sense. That way, the system will no longer rely on the technical security of your apps, it will merely rely on the amount of verification the administrators decide to employ upon sign-up. They should have the ability to pick a PKI of their own. (Should a decent standard for those exist some day. =)

tim Received on Sun Jul 27 23:12:59 2003