On Sun, 2003-12-21 at 21:40, Andrew Ho wrote: > The current "standard" appears to be username-password pair for > authenticating client-systems and SSL/certificate for servers --> over > https encrypted link.
The main problem with simple username/password pairs, HTTPS nothwithstanding, is the need for the client to prove his or her identity to **each** server **every** time the user's password is negotiated or re-negotiated. Such proof needs to be conducted out-of-band to be secure. That kight be acceptable when you are dealing with one server, but typically you would have to deal with tens or hundreds in the course of normal interaction with the health care system. PKI (including the GPG web-of-trust system) is much more scalable. Username/passwords might be OK in a highly centralised system like the UK NHS, but I can't see it being viable as the universal solution to security and authentication here in Australia, where things are much more distributed and organisations more discreet. > Since this is good enough for banking, I suspect it is fine for health > information too. Client-side certificate is just too much of a hassle for > most people to use. Most people deal with only one or two banks at a time, whereas most health practitioners deal with dozens of organisation, and specialist physicians with hundreds (since each GP is effectively a different organisation). That's a big difference between health care and banking. -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0
signature.asc
Description: This is a digitally signed message part
