W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: Shared Public Knowledge

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 12 Apr 2007 01:01:12 +0100
Message-ID: <461D76C8.2090405@cs.tcd.ie>
To: michael.mccormick@wellsfargo.com
CC: public-wsc-wg@w3.org


Just dipping in (and out:-) quickly, but I think this is an interesting
aspect to think about.

michael.mccormick@wellsfargo.com wrote:

> The much maligned Mother's Maiden Name is an example of weak KBA  but 
> much stronger ones are possible using the enormous databases of personal 
> data that are available from brokers today.  So I think the SPK 
> "anti-pattern" would benefit from being softened a bit to acknowledge 
> there's a place for it under certain conditions.

While I agree with your overall point, I think the above paragraph
implies that such schemes are problematic since they depend upon, and
thus encourage, the collection of such databases. That has two problems,
first, authentication schemes that are privacy unfriendly like this
are (IMO) problematic, and second, they inherently create a very
nice target DB - a good bit worse than e.g. a weak shared secret DB
that's protected via EKE and maybe Ford-Kaliski sharing (sorry don't
have a reference to hand - ask PHB).

Stephen.
Received on Wednesday, 11 April 2007 23:59:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT