11 Jul 2001 cpw   » (Apprentice)

OK, so here's my basic proposal for a net-wide authentication service.

Trusted third party authentication (Kerberos-like). User need not trust service and vice versa - instead, they negotiate use of an aauthentication server they both trust. Ideally, we don't want to entirely trust any one authentication server, or perhaps even any one authentication service provider, but this is deep magic to me.

Users and services generate their own public keys, a la PGP. Paying a CA just to have a key is not on - paying for one to trust your key may be. Especially a CA that actually looks at you, takes photos, affidavits and skin samples, and will then commit to an authentication reliability guarantee which high-security applications will require

We'll need to be able to implement a client on a smart card.

We'll need to implement a client in IE and Mozilla somehow.

We'll need to do it all fast, before Microsoft and AOL take over

Pluggable encryption schemes would be nice. Ideally the encryption scheme would be implemented in a portable bytecode of some kind. Crypto codec could possibly be negotiable between client, server and authenticator. The service protocols will probably be more vulnerable than the encryption algorithms, so this may not really be cost-effective, but it's worth thinking about.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!