simple (&secure??) PW-based web login (was Re: Another entry in theinternet security hall of shame....)

Wed Sep 14 16:14:13 EDT 2005

there is somewhat an anciallary philosphical issue. most of the current
password-based systems have been oriented towards a static environment
... contributing to a mindset that addresses authentication technology
as a static issue.

The PKI paradigm even goes further with contributing to a somewhat
rigid, stale, static view of authenticaiton technology ... spending an
enormous amount of effort in focusing on the rigid, stale, static nature
of the issued digital certificates.

this can be contrasted with real-time authentication environment
provided by RADIUS like technologies ... not only providing for
integrated overall management and administration ... but also real-time
integrated operation of authentication, authorization, and accounting.

minor confession ... in past life i actually assisted with radius
configuration on real, live livingston boxes for a small startup ...
when radius was still a purely livingston technology.
http://www.garlic.com/~lynn/subpubkey.html#radius

radius-like technologies provide extremely agile, real-time environment
integrating the management, administration, and operation of multiple,
co-existing authentication technologies ... along with integrated
real-time authorization and accounting.

given that you are freed from the static oriented authentication
technologies (like PKI) and related stale, static mindset ... one could
even imagine radius-like implementations extended to parameterized risk
management; where the infrastructures apply integrity classifications to
different authentication technologies and processes ... and
authorization infrastructures specifying minimal acceptable
authentication integrity levels.
http://www.garlic.com/~lynn/subpubkey.html#certless

some of this is born out of the credit-card industry where real-time
authorization can be associated with unique credit limit values on an
account-by-account basis ... as well as account specific "open-to-buy"
... aka the difference between the account's outstanding charges and the
account's credit limit (aka allows dynamic co-existance of wide-range of
different credit limits and dynamic risk management authorization
operations)

for instance, a parameterized risk management operation in an agile,
real-time, integrated environment might allow for an integrity level
with simple "something you are" digital signature for some permissions
... but other permissions may require that the public key having been
registered with a certified hardware token of minimal specified
integrity charactiristics and furthermore, the authentication operation
has to be co-signed by a finread-like technology certified station.
http://www.garlic.com/~lynn/subpubkey.html#finread

there is a very loose analogy between using the structuring of
role-based access control for fine grain permissions ... and the
structuring of authentication integrity levels ....  for dynamic
application for permission purposes.

Part of the problem that stale, static PKI oriented infrastructures have
foisted is the focus on the characteristics of the stale, static digital
certificate .... as opposed to being free to concentrate on the
real-time, dynamic operational characteristics of each, individual
authentication event (and not having to by bound by stale, static
infrastructure characteristics).

of course, anytime i mention agile, dynamic operation ... i frequently
digress to also throwing in boyd and ooda-loop references:
http://www.garlic.com/~lynn/subboyd.html#boyd2
http://www.garlic.com/~lynn/subboyd.html#boyd

and for even further topic drift ... numerous references to having
created dynamic, adaptive resource management as an undergraduate in the
'60s
http://www.garlic.com/~lynn/subtopic.html#fairshare
http://www.garlic.com/~lynn/subtopic.html#wsclock

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com