Re: [Auth]Re: Auth digest, Vol 1 #35 - 5 msgs

[Albert Scherbinsky]

Fernando Ipar wrote:
> 
> This is my first post to the list, i've been meaning to ask this and now that 
> the subject has been
> brought up i'll take the chance. How hard would it be to implement the auth 
> system using digital
> certificates along with username & password ?. I know pgp signatures can be 
> used as an
> alternative, but i'm interested in using a PKI, giving any provider the 
> ability to use it's
> users certificates for authentication (for it's own services and other dotgnu 
> services).
> I have experience in financial institutions providing some services on the 
> internet (account operations
> such as balances and transfers, credit card balance check, etc) and the use 
> of digital certificates proved
> to be very usefull more than once (if you base your authentication solely on 
> username/password, an internal leak
> could easly lead into a disaster, if you use digital certificates and your CA 
> has reasonable levels of
> security it is much harder for any potential attacker to exploit your system).
> 
> I would like to hear other's opinion on this matter, i know this probably 
> isn't an important issue for the
> first release but it could be taken into account in the desing anyway.
> 
> best regards,
> 
>         Fernando Ipar.

I agree, we should try and limit the complexity for a first
release.  Can you see how the current framework can be
extended to support your ideas?  If so, can you provide a
quick description. If not, how do we need to change the
framework to support your ideas.

Regards,
-- 
Albert Scherbinsky
Drop by at: http://members.home.net/alberts/

Convenient control of our personal information:
Single Login:
http://members.home.net/alberts/single.htm
Simple Interface Markup Language:
http://members.home.net/alberts/siml.htm
Personal Information Base XML
http://members.home.net/alberts/PIB.htm