Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?
From: "Pedro Hugo" <fractalg () highspeedweb net>
Date: Mon, 24 Mar 2008 06:16:40 -0500 (EST)

The correct solution, IMO, would be an encrypted password vault,
stored on a USB drive and only available through the use of a password
and some other form of identification (biometric, etc.)

What about kiosks and other situations where it wouldn't be secure to
allow arbitrary people to insert USB keys? This vault requires a support
system of some kind; does there need to be software on the system to
read it? Do you trust that software?

And even encryption solution have their problems as the key recovery from
ram paper has shown...

If we use public/private keys with SSH, why not use it with more services,
like web ones ? :)
Keys owners would have the responsability to manage their keys (password
recovery procedures substituted by key procedures) and their passwords...

Of course it would take a long time to deploy and teach the general public
about it, but isn't that what security pros are trying to do for a long
time ?

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]