W3C home > Mailing lists > Public > public-identity@w3.org > June 2011

RE: [websec] re-call for IETF http-auth BoF

From: Kerr, Greg <Greg.kerr@authentec.com>
Date: Wed, 15 Jun 2011 15:15:59 +0000
To: Anders Rundgren <anders.rundgren@telia.com>, Nico Williams <nico@cryptonector.com>
CC: Yutaka OIWA <y.oiwa@aist.go.jp>, "KIHARA, Boku" <bkihara.l@gmail.com>, "public-identity@w3.org" <public-identity@w3.org>
Message-ID: <51EDED437EB09641AF920E0B73C6B0C50B895787@US1EXCH01.auth.org>
Local (platform and/or user-agent native) authentication (PIN, token, platform password and/or biometric) which releases an unrelated token (e.g. OTP based on a provisioned seed) seems to be an optimal solution. That's what we tried to outline in our whitepaper. PKI is great and could be used inside or insupport of this method as well. (e.g. OATH's DSKPP for provisioning). I think one key would be allowing the page information on what is behind the authentication so the service provider can react according to their desires (e.g. payment vs. social login).

 -- Greg

-----Original Message-----
From: public-identity-request@w3.org [mailto:public-identity-request@w3.org] On Behalf Of Anders Rundgren
Sent: Wednesday, June 15, 2011 11:08
To: Nico Williams
Cc: Yutaka OIWA; KIHARA, Boku; public-identity@w3.org
Subject: Re: [websec] re-call for IETF http-auth BoF

On 2011-06-15 16:35, Nico Williams wrote:
<snip>
> I agree that a UI that cannot be imitated is a good and desirable 
> thing, but as long as full-screen applications are allowed you'll need 
> a secure attention sequence instead.

Another alternative is using authentication methods where you only
(optionally) use local PINs which if snooped by an imitating UI doesn't get the attacker very far, at least not on an Internet scale.

PKI is still the champ.

--Anders



NOTE: The information in this message is intended for the personal and confidential use of the designated recipient(s) named above. To the extent the recipient(s) is/are bound by a non-disclosure agreement, or other agreement that contains an obligation of confidentiality, with AuthenTec, then this message and/or any attachments shall be considered confidential information and subject to the confidentiality terms of that agreement.  If the reader of this message is not the intended recipient named above, you are notified that you have received this document in error, and any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this document in error, please delete the original message and notify the sender immediately.
Thank You!
AuthenTec, Inc.  http://www.authentec.com/

Received on Wednesday, 15 June 2011 21:41:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 June 2011 21:41:43 GMT