RSA SecureID and OATH technology have some great virtues: - they cost nothing to integrate at the client end - there is no client "footprint" so there's nothing to go wrong - they are relatively easy to understand and use - they're unquestionably better than reliance on user IDs and passwords.
note that there is typically some close relationship between a secureid and the relying party .... that if everything is working correctly ... the relying party is pretty sure that (most of the times) the response originated from a valid token .... although there are various kinds of attacks and vulnerabilities associated with originating that information and/or transmitting it to the relying party.
most PKIs tend to focus on the integrity of the indiciation arriving at the relying party. the digital signature is an indication that something occured at the remote end ... namely some entity accessed and used a private key. however, almost all PKI descriptions fail to focus on the primary event (that a digital signature is suppose to indicate) is that some form of 3factor authentication actually occured in the access and use of a private key. A lot of PKI has shifted the focus from the fundamental authentication business process (the integrity of the access and use of a private key) to the integrity of the communication that some (any arbitrary) access and use of a private key (while failing to establish the there was any fundamental integrity actually associated with the actual access and use of the private key).
aka ... digital signatures are a secondary factor associated with the primary integrity event of concern. the primary integrity business process is the actual access and use of the private key. a digital signature is a secondary integrity factor ... the indication or communication that some access and use of a private key has occured (w/o having any indication about the actual integrity of that access and use).
the actual access and use of the private key would be the primary integrity event of concern. the (high integrity) communication that such an access and use has concerned is secondary to the actual access and use (although both can be considered as attack targets or vulnerabilities).
note that integrity of the actual access and use of the private key, establishing some form of 3factor authentication
http://www.garlic.com/~lynn/subpubkey.html#3factor
and the communication that some actual access and use of the private key has occured with a digital signature
is orthogonal whether the relying party is relying on a (offline, unconnected) PKI model or a certificate-less
http://www.garlic.com/~lynn/subpubkey.html#certless
The PKI model was original met to target the scenario where the relying party has had no prior relationship with the originating party and/or
has no access and/or recourse to any other source of information (especially online access) about the originating party.
However, PKI descriptions have frequently obfuscated that there is other business processes requiring integrity issues (aka anything other than those related to certificate generation and use).
The actual core process that everything depends on is the integrity surronding the access and use of the private key .... and all other processes are scaffolding intended to provide a remote relying party some indication that the access and use of a private key has occured.
PKI models frequently fail to even bother to describe that the primary integrity issue is the access and use of the private key (and everything else is secondary). PKI models also frequently fail to describe that they are intended for the offline, unconnected business environment ... which has become the small minority of actual business processes in the world today.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
