On Wed, 10 Oct 2012, Guido Witmond wrote:
Hello Everyone,
I'm proposing to revitalise an old idea. With a twist.
The TL;DR:
1. Ditch password based authentication over the net;
2. Use SSL client certificates instead;
Here comes the twist:
3. Don't use the few hundred global certificate authorities to sign
the client certificates. These CA's require extensive identity
validations before signing a certificate. These certificates are
only useful when the real identity is needed.
Currently, passwords provide better privacy but lousy security;
4. Instead: install a CA-signer at every website that signs
certificates that are only valid for that site. Validation
requirement before signing: CN must be unique.
Looking at this just from the point of view of client-server
authentication, how is this any better than having the website generate a
cryptographically strong "password" at sign-up time, and then having the
client store it in the password cache of their browser?
Note that both solutions suffer from the same drawback: it becomes more
difficult for a user to log on from different computers.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
