Do You Need a Digital ID?

Anne & Lynn Wheeler lynn at garlic.com
Mon Mar 21 11:13:57 EST 2005 

minor addenda ... ref:
http://www.garlic.com/~lynn/aadsm19.htm#1 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm19.htm#2 Do You Need a Digital ID?

there are 2nd order implementations of public/private key authentication 
business process where keeping the private key private might involve

* keeping the private key in an encrypted file and a pin/password is 
required to decrypt a file. this could be considered a possibly weak 
form of two-factor authentication: 1) possession of the encrypted file 
and 2) possession of the key to decrypt the file (it may in fact be 
considered so weak that many might considerd it only one-factor 
authentication, the knowledge of the key to decrypt the file).

* keeping the private key in a token ... where the characteristics of 
the private key and the token holding the private key are taken as 
equivalent. the simple token/private-key equivalence is then one-factor 
"something you have" authentication ... aka a) digital signature is an 
expression of access and use of the private key and b) access and use of 
the private key is an expression of the possession of the token.

* a private key token that requires PIN and/or biometrics to operate in 
specific manner ... a relying party with business process certification 
of the private key only existing in a specific token and that the 
specific token is also certified as to requiring specific PIN and/or 
biometrics then possibly the relying party can assume some form of two 
factor authentication (or even three factor authentication); the digital 
signature is an expression of the access and use of the private key, the 
access and use of the private is an expression of a combination of a) 
possession of a specific hardware token, b) corresponding PIN for that 
specific hardware token to operate in a specific manner and/or c) 
biometric for that specific hardware token to operate in a specific manner.

note in the old fashion identity digital certificates from the early 90s 
... there was frequently little or no discussion as to the integrity 
requirements regarding the ability to access and use a specific private 
key (which is what the whole private/public key business process is 
fundamentally built on). there was frequently lots of documentation on 
what a certification authority might do in the integrity around the 
generation of an identity digital certificate .... but very little or 
nothing about what the key owner was required to do in order to enable 
the whole fundamental public/private key business process to operate 
correctly.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list