Do You Need a Digital ID?
Anne & Lynn Wheeler
lynn at garlic.com
Mon Mar 21 11:13:57 EST 2005
minor addenda ... ref:
http://www.garlic.com/~lynn/aadsm19.htm#1 Do You Need a Digital ID?
http://www.garlic.com/~lynn/aadsm19.htm#2 Do You Need a Digital ID?
there are 2nd order implementations of public/private key authentication
business process where keeping the private key private might involve
* keeping the private key in an encrypted file and a pin/password is
required to decrypt a file. this could be considered a possibly weak
form of two-factor authentication: 1) possession of the encrypted file
and 2) possession of the key to decrypt the file (it may in fact be
considered so weak that many might considerd it only one-factor
authentication, the knowledge of the key to decrypt the file).
* keeping the private key in a token ... where the characteristics of
the private key and the token holding the private key are taken as
equivalent. the simple token/private-key equivalence is then one-factor
"something you have" authentication ... aka a) digital signature is an
expression of access and use of the private key and b) access and use of
the private key is an expression of the possession of the token.
* a private key token that requires PIN and/or biometrics to operate in
specific manner ... a relying party with business process certification
of the private key only existing in a specific token and that the
specific token is also certified as to requiring specific PIN and/or
biometrics then possibly the relying party can assume some form of two
factor authentication (or even three factor authentication); the digital
signature is an expression of the access and use of the private key, the
access and use of the private is an expression of a combination of a)
possession of a specific hardware token, b) corresponding PIN for that
specific hardware token to operate in a specific manner and/or c)
biometric for that specific hardware token to operate in a specific manner.
note in the old fashion identity digital certificates from the early 90s
... there was frequently little or no discussion as to the integrity
requirements regarding the ability to access and use a specific private
key (which is what the whole private/public key business process is
fundamentally built on). there was frequently lots of documentation on
what a certification authority might do in the integrity around the
generation of an identity digital certificate .... but very little or
nothing about what the key owner was required to do in order to enable
the whole fundamental public/private key business process to operate
correctly.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list