[OpenID] [oauth] Re: [diso-project] Re: OpenID Accessibility
Ben Laurie
benl at google.com
Mon Nov 3 10:54:45 UTC 2008
On Mon, Nov 3, 2008 at 9:53 AM, Eddy Nigg (StartCom Ltd.)
<eddy_nigg at startcom.org> wrote:
> On 11/03/2008 11:38 AM, Ben Laurie:
>
> Well, not sure which "secret" you mean here. The only secret with client
> certs is the private key which is generated in the browser or smart card and
> stored within the relevant security module. However your idea of the browser
> providing "phishing resistant password scheme" is what I meant to question
> really, since there are no phishing resistant user name / pass word pairs -
> it simply doesn't exist.
>
>
> Really? Why not? What about SRP or J-PAKE?
>
>
> Isn't OpenID actually similar to what SRP does in some way? In any case it's
> by the use of yet another third party server...and then you are at the same
> point more or less, isn't it?
>
> Client certificate authentication can't be phished.
>
>
> I know. My point was that in order to acquire a client certificate,
> you have to somehow prove who you are - usually by showing you know
> some secret.
>
> No, it doesn't have to be. Usually client certificates are used mainly for
> S/MIME (which requires the validation of some email address), but they can
> function for authentication (and authentication only, without the S/MIME
> capabilities). The only exchange is really the public key submitted to the
> CA and the issuance of the certificate. There is no need to exchange any
> other information, none of it is a secret either. In any case,
> authentication via client certificate authentication is non-phishible
> because there is nothing to take from the user. Any information (lets say
> certificate content and public key) are completly useless to a phisher...
>
> ...and apparently quite some OP's adopted exactly that, which might suggest
> this to be one of the better solutions to avoid phishing and other misuse.
There are two cases. In one case, I just want to prove I'm the same
guy as last time. In this case, a client cert without any further
validation is fine. In fact, a self-signed cert is all that's needed,
no requirement for a CA - in fact, this is exactly what a Cardspace
self-issued card is.
In the other case I want to prove I'm someone in particular (e.g. Ben
Laurie, Google employee) - in this case I need to prove who I am in
order to obtain the certificate. One way to do this is, as you say, to
demonstrate ownership of an email address - and if everything works
right, perhaps the email you send to "prove" that will not be
intercepted en route. Another way that crops up fairly regularly is to
use a shared secret of some kind (e.g. a password - one-time or not).
More information about the general
mailing list