Re: [websec] re-call for IETF http-auth BoF

On 2011-06-15 17:11, Nico Williams wrote:
> On Wed, Jun 15, 2011 at 10:08 AM, Anders Rundgren
> <anders.rundgren@telia.com> wrote:
>> Another alternative is using authentication methods where you only
>> (optionally) use local PINs which if snooped by an imitating UI
>> doesn't get the attacker very far, at least not on an Internet scale.
> 
> Once you've got a credential manager integrated then this will
> typically be the case.
> 
>> PKI is still the champ.
> 
> I don't think PKI has an advantage here, except for smartcard support
> the crypto primitives (public key operations) needed for PKI.

W3C's WebID is a novel use of PKI that IMO gives OpenID a run for its money.

Regarding mutual authentication, it would be piece of cake adding an X.509
extension containing sites/domains that the issuer grants usage with.

-- Anders

Received on Wednesday, 15 June 2011 15:22:37 UTC