[cap-talk] Webkeys vs. the web

Rob Meijer capibara at xs4all.nl
Tue Mar 24 17:39:43 EDT 2009

On Tue, March 24, 2009 20:02, David-Sarah Hopwood wrote:
> Rob Meijer wrote:
>> On Mon, March 23, 2009 21:22, Stiegler, Marc D wrote:
>>> I am presuming that the service would be using the "forgot your
>>> password"
>>> protocol anyway for people who forget their password. In which case,
>>> there
>>> is no increase in vulnerability: an attacker who has the prerequisite
>>> mitm
>>> authority can always simply run this attack against you anyway, just by
>>> clicking "forgot my password" button for you :-)
>> I am surprised that you would consider name/password authentication at
>> all.
>> If there is a need for proof of identity, client certificates would IMHO
>> be the preferred tool for this.
> Cripes, no. Client certificates have an unusable browser UI.

What makes you conclude this, when compared to name/password proof of
identity? Remembering numerous site/username/password combinations is a
usability nightmare when compared to using a client certificate IMHO.

I wonder if we have the same frame of reference with respect to numbers.
If you feel the number of systems a user trusts with its identity
outnumbers the number of site/username/password combinations, that may be
the source of our disagreement on this point, given that in my frame of
reference the site/username/password combinations seem to greatly
outnumber the number of systems I would work from.

> Besides, they
> don't solve the problem of allowing use from another browser, or from a
> cybercafe.

As I stated in my previous post, I feel strongly that no usable technology
exists that can be trusted to such an extend as to use any proof of
identity from an untrusted computer. User identity for one often provides
to course a authority granularity to grant to an untrusted PC. Next to
this, the only way to revoke the authority is to change the password
before the controller of the untrusted PC does. From a least authority
view we should neither be using username/password combinations nor client
certificates from an untrusted PC.

I feel that smartphones could provide a good way forward, where we should
aim for a solution that allows one to delegate a single session sub
authority membrane to be delegated to the cybercafe system from the
smartphone. If you get that part right, you don't need to use identity on
the untrusted system, and the partial authority given to the untrusted
system would fully adhere to POLA.


More information about the cap-talk mailing list