Re: Why couldn't Public keys replace Passwords on the Internet?
From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 01/24/03
- Next message: Karl Levinson [x y] mvp: "Re: How to recover files encrypted with EFS by NT backup"
- Previous message: Karl Levinson [x y] mvp: "Re: Real time virus scaenning on production servers"
- In reply to: Dave: "Why couldn't Public keys replace Passwords on the Internet?"
- Next in thread: Aaron Dodd: "Re: Why couldn't Public keys replace Passwords on the Internet?"
- Reply: Aaron Dodd: "Re: Why couldn't Public keys replace Passwords on the Internet?"
- Reply: Aaron Dodd: "Re: Why couldn't Public keys replace Passwords on the Internet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> Date: Fri, 24 Jan 2003 11:19:00 -0500
First, I'd think you'd need a cert authority, which probably wouldn't be
free [especially since the CA itself would need to somehow verify your
identity when the cert is set up to prevent someone from generating a cert
and pretending they are you, like they can do currently with PGP].
Generating certs is rarely automatic and frequently not trouble free,
causing pains for end users. Storage of the private key on the client
instead of the server and relying on the client to authenticate the user
seems like a step backwards instead of forwards to me, certainly you'd need
to do it carefully to store the private key securely. At a minimum, I would
think that each web site would have different requirements for the level of
authentication security, and with this scheme they'd have no control over
this.
[Or maybe this is a brilliant idea that is just over my head, who can say.]
"Dave" <galt_57@hotmail.com> wrote in message
news:5591d176.0301240630.59d6c48c@posting.google.com...
> What if you just used a challenge and response system to replace
> passwords? The browser could hold the users password which would
> generate his private key. Websites would be allowed to challenge with
> a date-time-magic-cookie-root-web-address using your public key. Your
> browser would then prompt you to see if it should respond to prove
> your identity.
>
> Advantage: you would just log into your browser. Only one password to
> remember. Also no passwords would be passed across the internet. The
> root-address check would eliminate fake webpaages and the date-time
> field would obsolete any visible data.
>
> Dave
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003
- Next message: Karl Levinson [x y] mvp: "Re: How to recover files encrypted with EFS by NT backup"
- Previous message: Karl Levinson [x y] mvp: "Re: Real time virus scaenning on production servers"
- In reply to: Dave: "Why couldn't Public keys replace Passwords on the Internet?"
- Next in thread: Aaron Dodd: "Re: Why couldn't Public keys replace Passwords on the Internet?"
- Reply: Aaron Dodd: "Re: Why couldn't Public keys replace Passwords on the Internet?"
- Reply: Aaron Dodd: "Re: Why couldn't Public keys replace Passwords on the Internet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
