[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Auth]First thoughts on authorization

From: Gordon Hanson
Subject: [Auth]First thoughts on authorization
Date: Wed, 11 Jul 2001 15:26:22 -0500

My initial thoughts were that a completely decentralized system could not be 
developed.  but as I think about it the real 
world works as a decentralized trust relationship thingy.

I go to a store and wish to purchase some widgets.  I write a check, and the 
clerk wants some ID (a token of 
identification from a third party). The clerk checks the store's official list 
of trusted identification authorities and allows (or 
dissallows) the check.  I then leave (or don't) with my widgets.

in this case a token (my drivers license, credit card, or other ID card) was 
used to prove that I was who I said I was. the 
same concept can be used here for virtual authentication.  eg. I ask server A 
for a restricted service, and server A and 
my computer negotiate what an acceptable identification authority is.  then 
server A contacts the ID-Authority and 
sends it a random string encoded with ID-Authorities public key.  the 
ID-Authority decodes the string, and then sends it 
to my computer encoded with the public key that was set up previously, and I 
decode it and send it back to server A, 
thereby proving that I am who I say I am (based on the fact that I have logged 
in with my pass phrase.)

this is only one type of authentication, and does not preclude others, either 
more simple or complex.

any comments?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]