Do You Need a Digital ID?

[Anne & Lynn Wheeler]

Anne & Lynn Wheeler wrote:
> 3-factor authentication paradigm obviously also doesn't cover whether 
> the authentication is direct fact-to-face or that the relying party is 
> infering authentication taking place by the existance of other kinds of 
> evidence. for instance, a relying party validating a digital signature 
> with a public key will infer that the other party is in possession of 
> the corresponding private key. the relying party may not have direct 

i.e.
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?

one of the possible side-effects of applying 3-factor authentication 
paradigm ... and observing that

1) the verification of a digital signature is just a method
of inferring the possession of a specific private key

2) the possession of a private key obviously (theoritically possible, 
but i know of not instances of people memorizing private keys) isn't 
"something you know" authentication and a private key isn't "something 
you are" authentication ... leaving it to be "something you have" 
authentication (aka in your possession)

3) private keys in their simplest form are just electronic bits that are 
relatively easy to copy

then in order for a private key to be useful in a "something you have" 
authentication, it follows fairly staight-forwardly that significant 
security procedures and countermeasures are required to prevent such 
copying (in order to provide some level of assurance that the assumed 
entity is consistantly and uniquely in possession of the specific 
private key).

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com