[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Nov 3 09:53:50 UTC 2008 

On 11/03/2008 11:38 AM, Ben Laurie:
>> Well, not sure which "secret" you mean here. The only secret with client
>> certs is the private key which is generated in the browser or smart card and
>> stored within the relevant security module. However your idea of the browser
>> providing "phishing resistant password scheme" is what I meant to question
>> really, since there are no phishing resistant user name / pass word pairs -
>> it simply doesn't exist.
>>      
>
> Really? Why not? What about SRP or J-PAKE?
>    

Isn't OpenID actually similar to what SRP does in some way? In any case 
it's by the use of yet another third party server...and then you are at 
the same point more or less, isn't  it?

>> Client certificate authentication can't be phished.
>>      
>
> I know. My point was that in order to acquire a client certificate,
> you have to somehow prove who you are - usually by showing you know
> some secret.

No, it doesn't have to be. Usually client certificates are used mainly 
for S/MIME (which requires the validation of some email address), but 
they can function for authentication (and authentication only, without 
the S/MIME capabilities). The only exchange is really the public key 
submitted to the CA and the issuance of the certificate. There is no 
need to exchange any other information, none of it is a secret either. 
In any case, authentication via client certificate authentication is 
non-phishible because there is nothing to take from the user. Any 
information (lets say certificate content and public key) are completly 
useless to a phisher...

...and apparently quite some OP's adopted exactly that, which might 
suggest this to be one of the better solutions to avoid phishing and 
other misuse.


Regards
Signer: 	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Phone: 	+1.213.341.0390


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081103/fec9a44f/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081103/fec9a44f/attachment-0002.bin>

More information about the general mailing list