Re: Pub/priv key security

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 12/09/03

• Next message: Eric: "Mocana SSH and SSL"
• Previous message: lyal: "Re: Pub/priv key security"
• In reply to: lyal: "Re: Pub/priv key security"
• Next in thread: Chris Mattern: "Re: Pub/priv key security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 09 Dec 2003 13:16:00 GMT

"lyal" <lyalc@spam.ozemail.com.au> writes:
> their respective software modules) must both trust the same public
> keys. Exchanging public keys is as costly and complex as sharing a
> secret - and often far more expensive.

but mitigates the human factor problem with having to remember scores
of different shared secrets. also two-factor authentication makes it
somewhat more difficult for phishing & social engineering
vulnerabilities.

the substition of public key registeration for a pin/password
registration needs to be no more expensive and use the same exact
business process ... aka
http://www.garlic.com/~lynn/index.html#aads
say in either a straight-forward radius scenario where public key
is registered instead of pin/password:
http://www.garlic.com/~lynn/subpubkey.html#radius
or a kerberos pk-init scenario where public key is registered
instead of pin/password:
http://www.garlic.com/~lynn/subpubkey.html#kerberos

or even the SSH public key scenario.

The big cost issue for public key comes when there is an attempt to
create a major change in the business processes and trust model with a
PKI build-out. There seems to have been some PKI implicit assumption
that if the trust model and business processes change over could be
done on massive enough scale ... that all the PKI costs would
eventually be recouped thru scale of operations (i.e. loose $100 on
every unit but make up for it in volume).

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ 
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm

• Next message: Eric: "Mocana SSH and SSL"
• Previous message: lyal: "Re: Pub/priv key security"
• In reply to: lyal: "Re: Pub/priv key security"
• Next in thread: Chris Mattern: "Re: Pub/priv key security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: PGPsigs: the Choice of Con Artists ... They can insist whatever they want to insist but if I trust none of them ... You seem to have two problems: one is that you don't like the PGP signature ... signature or break public key encryption. ... (comp.os.linux.misc) Re: New Method for Authenticated Public Key Exchange without Digital Certificates ... > certificates were redundant and superfluous when the relying party ... > context of the original posting) and the semantic meaning of trust ... > the addition of public key operations to these environments isn't to ... > operations are the financial institutions. ... (sci.crypt) Re: Proposal for a new PKI model (At least I hope its new) ... That is say I trust Paul Rubin's public key. ... Paul likes the business so he signs their ... | 1) is the server i'm talking to really the server I think it is? ... (sci.crypt) RE: how can you verify that the site you get is not a fake? ... > returns some information to me, the browser. ... The cert that you recieve from a website is signed with the ... public key because factoring very large ... kind of background check) by which a ca that you trust signs keys. ... (Fedora) Re: [Full-Disclosure] a PGP signed mail? Has to be spam! ... No, they can be expired or revoked, but not invalid. ... not you trust the key used for signing. ... matching public key on your keyring, ... Think of all the tests spam filters are running, ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint