[17142] in cryptography@c2.net mail archive
Re: Do You Need a Digital ID?
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Fri Mar 25 10:21:40 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 23 Mar 2005 13:57:13 -0700
From: Anne & Lynn Wheeler <lynn@garlic.com>
To: Jerrold Leichter <jerrold.leichter@smarts.com>
Cc: "R.A. Hettinga" <rah@shipwright.com>, cryptography@metzdowd.com
In-Reply-To: <42419C31.5070905@garlic.com>
Anne & Lynn Wheeler wrote:
> 3-factor authentication paradigm obviously also doesn't cover whether
> the authentication is direct fact-to-face or that the relying party is
> infering authentication taking place by the existance of other kinds of
> evidence. for instance, a relying party validating a digital signature
> with a public key will infer that the other party is in possession of
> the corresponding private key. the relying party may not have direct
i.e.
http://www.garlic.com/~lynn/aadsm19.htm#5 Do You Need a Digital ID?
one of the possible side-effects of applying 3-factor authentication
paradigm ... and observing that
1) the verification of a digital signature is just a method
of inferring the possession of a specific private key
2) the possession of a private key obviously (theoritically possible,
but i know of not instances of people memorizing private keys) isn't
"something you know" authentication and a private key isn't "something
you are" authentication ... leaving it to be "something you have"
authentication (aka in your possession)
3) private keys in their simplest form are just electronic bits that are
relatively easy to copy
then in order for a private key to be useful in a "something you have"
authentication, it follows fairly staight-forwardly that significant
security procedures and countermeasures are required to prevent such
copying (in order to provide some level of assurance that the assumed
entity is consistantly and uniquely in possession of the specific
private key).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
