Re: Secure Chrome from Chuck Wade on 2006-06-16 (public-usable-authentication@w3.org from June 2006)

From: Chuck Wade <Chuck@Interisle.net>
Date: Thu, 15 Jun 2006 22:20:44 -0400
To: Chris Drake <christopher@pobox.com>
CC: public-usable-authentication@w3.org
Message-ID: <4492157C.2020904@Interisle.net>

Chris,

I would not characterize my comment as expressing "highly negative 
sentiment." I'm just being pragmatic. If the "problem" is abuse and 
fraud in the context of online services built on top of the Web model, 
then authentication is only one part of the overall security problem.

For example, what about "access control?" It depends on authentication, 
but even if the authentication is perfect, there are still ways for an 
authenticated party to gain unauthorized access to information or 
services (e.g., privilege escalation). Another example is 
non-repudiation where authentication again plays a role, but cannot by 
itself prevent a party from repudiating a transaction, or details of a 
transaction.

Authentication also depends on practices and procedures for enrolling 
users, organizations and Web sites that can be attacked and compromised. 
The result might be that an illegitimate party is erroneously enrolled, 
which would allow them to authenticate as though they were legitimate, 
no matter how effective the authentication measures might be.

The larger point I was trying to make, and that Phillip had already 
stated quite well, is that we need to improve on the existing solutions, 
even though we will never fully solve all of the problems. We just need 
to make things get better, hopefully much better. And to that end, 
"effective *mutual* authentication" is very important.

...Chuck

Chris Drake wrote:
> Hi Chuck,
>
> Friday, June 16, 2006, 7:18:53 AM, Chuck wrote:
>
>   
>> It is also worth noting that even the most effective mutual
>> authentication techniques do not solve the problem either, ...
>>     
>
> That's a pretty sweeping, highly negative sentiment!  What, exactly,
> do you mean?  I can only guess that your idea of "most effective"
> isn't really "most effective", and you probably meant something else?
>
> There's a *lot* of highly effective technology out there - can you
> narrow your statement down and point the finger at which ones you're
> unhappy with, and why?
>
> Kind Regards,
> Chris Drake
>
>
>
>
>

Received on Friday, 16 June 2006 02:20:58 UTC