Oleg Nitz wrote:
>
> On Friday 26 January 2001 00:59, Wim De Clercq wrote
> >
> > Initially I thought it would enforce the use of a persistent key
> > store at client side, but it is of course possible to generate the
> > key pair on the fly as described by Luke.
> I don't understand how are you going to provide a reliable user
> authentication without the persistent key store at client side.
> Please, explain me this.
> If it is password based than IMHO the level of security is the same
> as now.
>
It isn't really any more secure - it just separates the initial
authentication protocol from subsequent validations of the client's
credentials. So it doesn't make the authentication method any more
secure, but the "real" credentials only need to be supplied at the
start of the session and can be disposed of afterwards. It also means
that other servers in a distributed system can validate the credentials
without accessing the security server - they only need a copy of the
security server's certificate.
Luke.
--
Luke Taylor.
PGP Key ID: 0x57E9523C
