> But you can do at least as good as these forms of ID. PKI requires > knowledge of some sort of passkey. (I just worry about identification > for people who are not smart enough to pick a good key. Which, > unfortunately, is also most people.
My understanding is a passkey just needs sufficent entropy in order to be strong. This can be a few characters drawn from a larger characterset - your password must be no more than 16 chars and must contain upper and lower case numbers and punctuation. Alternatively it could be a long string made up of a restricted character set - your pass phrase can consist of any text characters but must not contain long repitations and be of at least 200 characters long (say). Thus a passphrase may be a quote from your favorite movie, a lyric or the like. This can then be hashed into a higher entropy string (is this statement true?) used for authentication. I don't understand why modern security systems have an upper limit on passphrase length. (waits for people who know better to tell him he is dumb). -Steve
