Re: [foaf-dev] Re: RDFAuth: an initial sketch

Benjamin Nowack wrote:
> Hmm, ok, but wouldn't users also have to upload a private key
> to my server? And my app would have to send the private key
> to the encryption service, which I guess isn't too cool either.

Hi Benjamin,

Absolutely not! That's not acceptable under any circumstances, 
especially when designing a (secure) authentication system... ;)

Your private key remains in your machine always because only you can 
start requests with your private key anyway. There are some key managers 
on KDE and Gnome and Thunderbird as well.

Because it's always you initiating the connection you can encrypt the 
text and send only C(text) instead of require the server to generate it 
for you.

You could easily transport those keys (under an even greater security) 
from one computer to the other but I'd never recommend anyone to upload 
private keys anywhere, even if the server says "it's safe and encrypted".

cheers,
--renato

Received on Friday, 28 March 2008 12:52:52 UTC