Re: Why couldn't Public keys replace Passwords on the Internet?

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 01/24/03 

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Fri, 24 Jan 2003 11:19:00 -0500

First, I'd think you'd need a cert authority, which probably wouldn't be
free [especially since the CA itself would need to somehow verify your
identity when the cert is set up to prevent someone from generating a cert
and pretending they are you, like they can do currently with PGP].
Generating certs is rarely automatic and frequently not trouble free,
causing pains for end users. Storage of the private key on the client
instead of the server and relying on the client to authenticate the user
seems like a step backwards instead of forwards to me, certainly you'd need
to do it carefully to store the private key securely. At a minimum, I would
think that each web site would have different requirements for the level of
authentication security, and with this scheme they'd have no control over
this.

[Or maybe this is a brilliant idea that is just over my head, who can say.]

"Dave" <galt_57@hotmail.com> wrote in message
news:5591d176.0301240630.59d6c48c@posting.google.com...
> What if you just used a challenge and response system to replace
> passwords? The browser could hold the users password which would
> generate his private key. Websites would be allowed to challenge with
> a date-time-magic-cookie-root-web-address using your public key. Your
> browser would then prompt you to see if it should respond to prove
> your identity.
>
> Advantage: you would just log into your browser. Only one password to
> remember. Also no passwords would be passed across the internet. The
> root-address check would eliminate fake webpaages and the date-time
> field would obsolete any visible data.
>
> Dave 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003

Relevant Pages

  • Re: Netmeeting Certificates
    ... > in the docs it says that certs can be used for authentication as well as ... > if no cert is issued then netmeeting uses the default windows cert which is ... If there are netmeeting-specific passwords ... There are no special NetMeeting passwords on NT,2000,2003,XP systems. ...
    (microsoft.public.internet.netmeeting)
  • Re: Why couldnt Public keys replace Passwords on the Internet?
    ... First, I'd think you'd need a cert authority, which probably wouldn't be ... to do it carefully to store the private key securely. ... The browser could hold the users password which would ... Also no passwords would be passed across the internet. ...
    (microsoft.public.win2000.security)
  • Re: secure password communication
    ... any secret using the public key in the cert. ... which allowed online retrieval of passwords. ... we need to communicate first-time application passwords to remote users; wanted to know what are the practices implemented out there to ensure that password is communicated in a secure, fast, cost-effective way ... Join Sci-Tech News group and get the latest science & technology news ...
    (Security-Basics)
  • Re: Encrypt a UsernameToken Authenticated WSE Response
    ... > with or without a cert, you still have to manage the pub/pri keys. ... > and most people cant manage their passwords. ... securing that private key requires special attention. ... you can get much better security IMO. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Private & Public Key storage location
    ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ...
    (microsoft.public.inetserver.iis.security)
Loading