Server-to-server channel
Vinay Gupta
hexayurt at gmail.com
Thu Apr 5 10:49:29 UTC 2007
On Apr 5, 2007, at 10:40 AM, Douglas Otis wrote:
> Although the world demands GUI, terminal interfaces already offer a
> powerful set of tools for doing exactly what is needed. Public key
> cryptography reduces the overhead and security concerns substantially.
> This may also provide an alternative for rather complex OpenID
> extensions that will likely over reach with respect to security.
The literature on both Capability Based Operating Systems and
Kerberos should be considered pretty closely here. It's very easy to
design systems which are subject to man in the middle attacks and
replay attacks, and the semantics of security are equally important
(like "what did the user just cryptographically authorize? they
thought they authorized access to their name, but the request lied
about what it was for...")
Kerberos has an exquisite design for handling network authentication
and should probably be considered as a template for subsequent
systems. It is old and well examined, and still trusted. Perhaps it
would make sense to implement Kerberos over OpenID to solve some or
all of these security problems?
http://web.mit.edu/Kerberos/
Vinay
--
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually works!) Cell:
Iceland (+354) 869-4605
http://howtolivewiki.com/hexayurt - old http://appropedia.org/
Hexayurt_Project - new
Skype/Gizmo/Gtalk: hexayurt I have a proof which unfortunately this
signature is too short
More information about the specs
mailing list