- From: Renato Golin <renato@ebi.ac.uk>
- Date: Fri, 28 Mar 2008 12:52:15 +0000
- To: bnowack@semsol.com
- CC: Story Henry <henry.story@bblfish.net>, Semantic Web <semantic-web@w3.org>, foaf-dev of a Friend <foaf-dev@lists.foaf-project.org>
Benjamin Nowack wrote: > Hmm, ok, but wouldn't users also have to upload a private key > to my server? And my app would have to send the private key > to the encryption service, which I guess isn't too cool either. Hi Benjamin, Absolutely not! That's not acceptable under any circumstances, especially when designing a (secure) authentication system... ;) Your private key remains in your machine always because only you can start requests with your private key anyway. There are some key managers on KDE and Gnome and Thunderbird as well. Because it's always you initiating the connection you can encrypt the text and send only C(text) instead of require the server to generate it for you. You could easily transport those keys (under an even greater security) from one computer to the other but I'd never recommend anyone to upload private keys anywhere, even if the server says "it's safe and encrypted". cheers, --renato
Received on Friday, 28 March 2008 12:52:52 UTC