On 31/1/09 03:50, Kyle Hamilton wrote:
This is very much akin to needing to authenticate that a machine used
to perform the transaction submission was, indeed, configured by the
information technology staff. This is a very important concept that
cannot be discounted or ignored.
Or, failed to be validated ;-)
I would recommend the following approach:
1) Per-machine keys/certificates, embedded into the machine's TPM or a
hardware dongle that cannot be removed from the machine, issued by a
particular CA name (referred to here as "MachineCA")
Which could probably be done as easily by welding one of those RSA
SecureId things to the side of the machine . . .
2) Per-user keys/certificates, stored normally, and issued by any other CA name.
Name and password. Done!
(You are of course right, I'm just being perverse here about the
insistience on using a philipps-head screw when already owning a hammer
and flat-screwdriver...)
People, remember: not every situation fits into your narrowly-defined
Holy Writ worldview. I've been trying to get this through your
collective heads for a while now.
I'm afraid, Kyle, this is the wrong group for this. This is about
Mozilla as she is, which is using Worldview X.509. It is not about
choosing another model, nor is it about even improving the current model
(note Mozilla's "standards" goal).
This is a situation that does not,
and the fact that you're trying to reinforce the dominant paradigm
without realizing that the standards allow for a LOT more leeway than
you're giving them credit for is only a testament to your
closed-minded dogmatic "expertise".
Sorry, that's unfair! Although understandable and frustrating.
This is a group about building the Mozo product and maintaining it. The
expertise here is in fixing bugs, and compatibility. Perhaps, with an
evolving creation of policy. And a nascent experiment in security UI,
to be nurtured at all costs....
The expertise sought after in this thread is about architecture of
solutions. Screwdrivers and hammers and all that...
iang
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
