W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

Re: [websec] re-call for IETF http-auth BoF

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Wed, 15 Jun 2011 17:22:00 +0200
Message-ID: <4DF8CE18.7080408@telia.com>
To: Nico Williams <nico@cryptonector.com>
CC: Yutaka OIWA <y.oiwa@aist.go.jp>, "KIHARA, Boku" <bkihara.l@gmail.com>, public-identity@w3.org, pgut001@cs.aucKland.ac.nz
On 2011-06-15 17:11, Nico Williams wrote:
> On Wed, Jun 15, 2011 at 10:08 AM, Anders Rundgren
> <anders.rundgren@telia.com> wrote:
>> Another alternative is using authentication methods where you only
>> (optionally) use local PINs which if snooped by an imitating UI
>> doesn't get the attacker very far, at least not on an Internet scale.
> 
> Once you've got a credential manager integrated then this will
> typically be the case.
> 
>> PKI is still the champ.
> 
> I don't think PKI has an advantage here, except for smartcard support
> the crypto primitives (public key operations) needed for PKI.

W3C's WebID is a novel use of PKI that IMO gives OpenID a run for its money.

Regarding mutual authentication, it would be piece of cake adding an X.509
extension containing sites/domains that the issuer grants usage with.

-- Anders
Received on Wednesday, 15 June 2011 15:22:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 June 2011 15:22:37 GMT