Maybe It's Snake Oil All the Way Down

[Dave Howe]

Anonymous Sender wrote:
> James A. Donald writes:
> E-Gold could set things up to allow its customers to authenticate with
> certs issued by Verisign, or with considerably more work it could even
> issue certs itself that could be used for customer authentication.
> Why doesn't it do so?  Well, it's a lot of work,
Nope. issuing certs to someone is trivial from both a server and a user
endpoint - the user just gets a "click here to request your key" and hits ok
on a few dialog boxes; the server simply hosts some pretty off-the-shelf
cgi.

> and it would have
> some disadvantages - for one thing, customers would have difficulty
> accessing their accounts from multiple sites, like at home and at
> work.
Not so much that as have a much bigger security issue. Maintaining keys
securely would then become a task for the client, and while keeping a
written password secret is something most people can handle the concept of,
keeping a block of computer data safe from random trojans while exporting it
to be transported between machines is much, much harder.
Of course, you *could* generate the key entirely locally on the server,
protecting it with a HTTPS download, and protect it with the enduser's
password (not sure how secure the PKCS password is - if it isn't, then use
some self-decoding-exe like the 7z one) but that still wouldn't force the
end user to do more than hit "import" and have it stored insecurely on their
client machine.

> Further,
> it would require customers to use some features of their browser that
> most of them have never seen, which is going to be difficult and
> error-prone for most users.
its surprisingly reliable and easy - particuarly if your end users are just
using the MS keystore, which requires them to do no more than double-click
the pkcs file and hit "next" a few times.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com