there is somewhat an anciallary philosphical issue. most of the current password-based systems have been oriented towards a static environment ... contributing to a mindset that addresses authentication technology as a static issue.
The PKI paradigm even goes further with contributing to a somewhat rigid, stale, static view of authenticaiton technology ... spending an enormous amount of effort in focusing on the rigid, stale, static nature of the issued digital certificates. this can be contrasted with real-time authentication environment provided by RADIUS like technologies ... not only providing for integrated overall management and administration ... but also real-time integrated operation of authentication, authorization, and accounting. minor confession ... in past life i actually assisted with radius configuration on real, live livingston boxes for a small startup ... when radius was still a purely livingston technology. http://www.garlic.com/~lynn/subpubkey.html#radius radius-like technologies provide extremely agile, real-time environment integrating the management, administration, and operation of multiple, co-existing authentication technologies ... along with integrated real-time authorization and accounting. given that you are freed from the static oriented authentication technologies (like PKI) and related stale, static mindset ... one could even imagine radius-like implementations extended to parameterized risk management; where the infrastructures apply integrity classifications to different authentication technologies and processes ... and authorization infrastructures specifying minimal acceptable authentication integrity levels. http://www.garlic.com/~lynn/subpubkey.html#certless some of this is born out of the credit-card industry where real-time authorization can be associated with unique credit limit values on an account-by-account basis ... as well as account specific "open-to-buy" ... aka the difference between the account's outstanding charges and the account's credit limit (aka allows dynamic co-existance of wide-range of different credit limits and dynamic risk management authorization operations) for instance, a parameterized risk management operation in an agile, real-time, integrated environment might allow for an integrity level with simple "something you are" digital signature for some permissions ... but other permissions may require that the public key having been registered with a certified hardware token of minimal specified integrity charactiristics and furthermore, the authentication operation has to be co-signed by a finread-like technology certified station. http://www.garlic.com/~lynn/subpubkey.html#finread there is a very loose analogy between using the structuring of role-based access control for fine grain permissions ... and the structuring of authentication integrity levels .... for dynamic application for permission purposes. Part of the problem that stale, static PKI oriented infrastructures have foisted is the focus on the characteristics of the stale, static digital certificate .... as opposed to being free to concentrate on the real-time, dynamic operational characteristics of each, individual authentication event (and not having to by bound by stale, static infrastructure characteristics). of course, anytime i mention agile, dynamic operation ... i frequently digress to also throwing in boyd and ooda-loop references: http://www.garlic.com/~lynn/subboyd.html#boyd2 http://www.garlic.com/~lynn/subboyd.html#boyd and for even further topic drift ... numerous references to having created dynamic, adaptive resource management as an undergraduate in the '60s http://www.garlic.com/~lynn/subtopic.html#fairshare http://www.garlic.com/~lynn/subtopic.html#wsclock --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
