[SLUG] Re: Passwords on the web -- differentiating between authentication and encryption

From: Bryan J. Smith (b.j.smith@ieee.org)
Date: Sat Sep 25 2004 - 23:21:02 EDT

Next message: Pete S.: "Re: [SLUG] ATI readies big Linux driver push -- ATI follows nVidia's lead"
Previous message: Backward Thinker: "Re: [SLUG] Passwords on the web"
In reply to: steve szmidt: "Re: [SLUG] Passwords on the web"
Next in thread: Christopher Hotchkiss: "Re: [SLUG] Passwords on the web"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sat, 2004-09-25 at 12:42, steve szmidt wrote:
> That's not the point. The purpose with a well known signer is that the Public
> trusts them. We don't care about the developer - he knows who he is.
> That SSL works is also known. So it comes down to give the public a nice and
> warm feeling when they enter confidential information.

People often don't differentiate between authentication and encryption.
SSL provides both, but to varying levels depending on how it is
implemented. And no, I'm not talking the RC4 key length.

Encryption means _jack_ if you can't authenticate who you are talking to
first. You must establish that the party you are talking to is
authenticate -- _then_ you can trust any encryption is provides.

If you self-cert your X.509, then _you_ are responsible in getting your
server's public key into the public's hands as "trusted." If you want
to do that by using another key (e.g., PGP) to sign it, or providing it
physically on a disk or USB device, then that's fine. Alternatively you
could provide a printout of the fingerprint for verification of the
public key when someone hits the site for the first time.

If you cert with an established certificate authority (CA), then they
keep your public key on-file. So anyone can hit your site, their
browser will verify the public key of your server with the CA. The CA
is trusted, and if your key matches, you are then trusted. It's worth
the $100+/year IMHO, but that's just me.

In fact, once you establish some method of public trust -- be it a X.509
with a CA, a well-established OpenPGP key, etc..., you can then sign
anything and everything with it for verification purposes. It costs a
bit more to do so with a CA (be a signing authority yourself), but it's
worth it IMHO.

-- Bryan J. Smith b.j.smith@ieee.org ------------------------------------------------------------------ "Communities don't have rights. Only individuals in the community have rights. ... That idea of community rights is firmly rooted in the 'Communist Manifesto.'" -- Michael Badnarik

----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.

Next message: Pete S.: "Re: [SLUG] ATI readies big Linux driver push -- ATI follows nVidia's lead"
Previous message: Backward Thinker: "Re: [SLUG] Passwords on the web"
In reply to: steve szmidt: "Re: [SLUG] Passwords on the web"
Next in thread: Christopher Hotchkiss: "Re: [SLUG] Passwords on the web"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:06:16 EDT