[cap-talk] Webkeys vs. the web

Rob Meijer capibara at xs4all.nl
Tue Mar 24 04:44:23 EDT 2009


On Mon, March 23, 2009 21:22, Stiegler, Marc D wrote:
> I am presuming that the service would be using the "forgot your password"
> protocol anyway for people who forget their password. In which case, there
> is no increase in vulnerability: an attacker who has the prerequisite mitm
> authority can always simply run this attack against you anyway, just by
> clicking "forgot my password" button for you :-)

I am surprised that you would consider name/password authentication at all.
If there is a need for proof of identity, client certificates would IMHO
be the preferred tool for this.

For rare access from new potentially untrusted locations the use of
identity should I feel be avoided. If you implement password/webkey
combination to access decomposed sub authority, you could use this as an
alternative for these situations. If you can seal a webkey with a new
password behind a public memorable url, you can from a trusted regular
system that you trust to hold your client certificate and private identity
key (what could very well be your smart phone) delegate auto revoked sub
authority to yourself for one time usage from untrusted rarely used
locations.


Rob



More information about the cap-talk mailing list