Alice has three mobile phones and six laptops. Using embedded keys in those devices for authorization is no problem since each device can have a separate private key and the authentication server tracks the fact that there are nine devices that might authenticate Alice.
The same model can even be made to work for confidentiality. Alice can read her DRM protected Kindle content on any one of those devices. (Though there may be limits on how many devices the DRM scheme will permit). Trying to make S/MIME email work in that scenario is futile. The sender only tracks one private key for Alice. So Alice has to export her private key to all her S/MIME clients. Not only is that terrible security practice, it is too much work. Worse, Alice has to repeat the process once a year. That is why I no longer believe that end-to-end is a desirable quality. A security requirement that does not consider the cost it imposes versus the risks it mitigates is ideology. On Wed, Feb 8, 2012 at 4:52 PM, Stephen Kent <[email protected]> wrote: > At 3:03 PM -0500 2/8/12, Phillip Hallam-Baker wrote: >> >> But authentication works in that scenario because the protocols can allow >> each user to have as many keys as they need. The key is not shared across >> devices, the protocols allow for multiple cards per end user >> > Sorry, I don't understand you comment. > > Steve -- Website: http://hallambaker.com/ _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
