ID "theft" -- so what?
Perry E. Metzger
perry at piermont.com
Wed Jul 13 18:52:25 EDT 2005
Dan Kaminsky <dan at doxpara.com> writes:
>>This is yet more reason why I propose that you authorize transactions
>>with public keys and not with the use of identity information. The
>>identity information is widely available and passes through too many
>>hands to be considered "secret" in any way, but a key on a token never
>>will pass through anyone's hands under ordinary circumstances.
>
> It's 2005, PKI doesn't work, the horse is dead.
Who said PK_I_? I only mentioned P_K_. There is no need for an _I_
here -- a public key stored at the bank in a database is sufficient,
without any certificates at all. The token can store the bank's key
without any need for a cert, either. Neither needs to check the
"certification" of such keys -- the mere presence of the key in the
correct part of storage indicates it is valid, the same way that a
.ssh key file needs no certification, only existence.
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list