At 2001-12-30 21:37 +0000, Dmitry Salnikov wrote: >> Also, remember that using a passphrase for account protection >> means you are relying only on "something you know". Using public >> key cryptography (digital certificates), you add in an extra security >> measure: "something you have". By adding a digital certificate to the >> login procedure for your DGC account, your gold holding is protected >> against all passphrase attacks, because the cracker does not have >> your digital certificate, which is stored securely in your web >> browser. > >"Something you have" in this case really means >"something your computer knows" which will cause >proliferation of viruses which will harvest these >digital certificates and send them to malicious >people, while users will have false feeling >of security.
Harvesting a cert from a browser/OS (operating system) is at least an order of magnitude more difficult than sniffing keyboard strokes. Also, the cert can be secured further by storing it on a smartcard running its own OS, which effectively isolates the cert from the potentially insecure/"trojanized" browser/OS. >The real "something you have" is genetic code >plus your birth date which will ensure that there >is no malicious clone in action and even this is >complicated with twins and other cases. I also consider a physical object in my possession (e.g., a smartcard, a computer/PDA with a hardened OS, GSM phone, etc.) as "something I have", which I believe is a common assumption in the real world/meatspace. >Anyway it is rather religious discussion because there >will always be the people who rely on something they know >and the people who rely on something they have. Exactly. That's why it's good to offer both options. >e-Gold in its present state is good for advanced users >who are able to remember long and complex passphrases and >want more freedom in account management while the systems >with digital certificates are good for average users >who are not able to remember their passphrases. Yes. Plus using a cert (public key cryptography) also eliminates potential denial of service attacks where a bot tries to login to an account 3 times every 15 minutes and effectively locks out the legitimate owner from accessing it. >May be some sort of vitamin may help >to improve memory capabilities for average users? >Any ideas or opinions? Creating long passphrases is an excellent mental exercise for sure. However, certs enable a secondary authentication method on top of the passphrase while offering other benefits aside from the extra security. Sincerely, Geoff Turk --- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] http://www.e-gold.com/stats.html lets you observe the e-gold system's activity now!
