Re: Why couldn't Public keys replace Passwords on the Internet?

From: Aaron Dodd (aaron@aarondodd.com)
Date: 01/27/03


From: "Aaron Dodd" <aaron@aarondodd.com>
Date: Sun, 26 Jan 2003 21:03:49 -0500

On Fri, 24 Jan 2003 11:19:00 +0000, Karl Levinson [x y] mvp wrote:

> First, I'd think you'd need a cert authority,

Not really. This would be more analogous to using a public/private
key-pair for authenticating an SSH session. The private key doesn't
garantee you're John Doe, per se, so much as it garantees you're the
person that created the account/password on the target website.

> Storage of the private key on the client
> instead of the server and relying on the client to authenticate the user
> seems like a step backwards instead of forwards to me, certainly you'd need
> to do it carefully to store the private key securely. At a minimum, I would
> think that each web site would have different requirements for the level of
> authentication security, and with this scheme they'd have no control over
> this.

I think you're confusing the suggestion a little. The site wouldn't store
the private key at all, so there'd be no issue with the security of the
private key (from the server's standpoint). All the server would need to
do is store the public-key/challenge phrase.

The site would then provide this information to the client/browser and it'd be up
to the client/browser to determin if the challenge correctly matches the
private key.

Private-key management would be no more difficult than the current
password/form info storage most browsers provide.