certificate-based-login

[Pietry]

This is intended to replace password based login. And this is not so easy to crack since all money transfers, bank accounts and stuff are done via TLS
There is no failure with PGP, PKI is widely used around the world... I'm not sure if this is actually part of the PGP

[Dj_Offset]

So, Why do we need to replace passwords? Come with them use-cases, please!

You talk about "cracking" the encryption, it is totally irrelevant and missing my point. Encryption is no silver bullet. All online banking is handled with TLS, meaning your connection between your browser and presumably your bank is encrypted. Yay, a padlock - it must be secure now, eh? Still, US banks are losing billions of dollars every year.

Looking at the market place, PGP has been an immense failure. How often do you send PGP encrypted (or signed) mails to your non-geek friends or family? How many key signing parties have you attended? PGP does have a PKI, called a web of trust.

On the web we have another PKI, where your friends or foes can pay a "certificate authority" a certain amount of $$$ to get a padlock in your browser to ensure you its OK.

My point is, a PKI is hard to get right --- and if you do, it's too hard to use for normal people.

[Pietry]

Normal people don't have to know the behinds. All we need to do is make the things more secure for them but without them interfering too much.
After some talks with quicksilver ( aka jucy dev ) , at his suggestion I'm considering a simpler way to handle this certificates. All the hub has to do is to keep a list of authorized public keys and see if the connecting user matches. This way no signing required and no certificate transfers between hub and clients.

[Pietry]

Still, US banks are losing billions of dollars every year.

Yes, and not because some cracking machine is getting the encrypted traffic and finds out user's personal info. Banks lose money because of user's stupidity and ignorance. Social engineering, phising, inserting a trojan in user's computer is the way robbers get access.

[Dj_Offset]

Since software security is at its core of what I do for a living, I'll chip in a few points here:

I don't see anything here that would make things easier or more secure for anybody. In fact, I see the quite opposite: We are creating a pain-in-the-ass extension for hub admins and annoyances for users.

Let me explain why I think this is bad:

1) It solves a problem that does not exist.
We can already use SSL for hubs, and have hubs use proper certificates... Yes, that cost money. I got a cert for my host for as little as £9.
Hubs authenticate to the users automatically by matching actual hostname and the one stated in the certificate. If mismatch, treat the hub as untrusted (SSL security 101).
Users can authenticate to the hub using a combination of username + password or CID + password (or as this spec says, a cert, but that's what I'm arguing against, so I will not mention it, *doh*).

2) It creates lots of extra work for admins and users.
Admins need to spend more time managing certificates. The certificates need to be communicated in an out-of-band information channel, but how that is supposed to happened is not covered here. Users will have to spend more effort to copy their key pairs to their different computers, in order to access their favourite hub, otherwise, the hub admin will have to register multiple certificates for users using multi-computer-users (count me in this category).

3) It does not really solve the problem
The problem as witnessed on the browser side, where banks are losing billions of dollars as I mentioned earlier is mainly caused by the lack of authentication of the server to the user. It is mainly a UI presentation problem in my opinion. *This* spec does not even mention how to deal with that, but only focuses on how users authenticate to hubs. This is a grave flaw.

On the contrary, if used properly this can lead to a fully PKI based and password less system. Don't get me wrong though; passwords have their fair share of problems, they are mostly user related, but I'm not comfortable swapping passwords for a technology most users and developers do not understand.

Anyway, the good news is, that this proposal is an extension, thus optional, and therefore can safely be ignored by hub admins, users and ADC developers.

Happy new year, btw.

[Pietry]

While trying to setup an authorized_keys file for dshub I hit myself with the problem of authentication. It seems that current software and the ssl system has a problem, we can't make our own CA system independently of others ( or with a big pain in the *** )
Well, my main reason that I was going for the certificates is that encryption by itself does not help too much either ( just mask the traffic ) so there is not too much privacy; and the certificates would make almost impossible cracking hub accounts.
Here is the talk I've been having on the java forums :
http://forums.sun.com/thread.jspa?threa ... 3&tstart=0
If anyone has a better idea about this problem please post ( except JVK's opinion, I know he is completely against it )

[Dj_Offset]

Call me a sceptic, but I suggest sticking to what *works*.
- Hub/server register a certificate through an ordinary CA.
- Or generate a self-signed certificate.

Client connects (pseudo code):

Code: Select all

if SSLCert is valid for host ?
    if SSL_Cert is not revoked
        Login with password
    else
        PREVENT LOGIN - PROBABLY A SPOOF!
    endif
else
    if Have SSLCert for this host ?
        if SSLCert accepted for this host before ?
                Login with password
        else
                PREVENT LOGIN - PROBABLY A SPOOF!
        endif
    else
        Ask if user want to accept the cert, and provide cert fingerprint.
    endif
endif

This allows for servers to use a regular CA, or fall back to self-signed certificates using the same model as SSH uses.

[Quicksilver]

The link threads seems to have been ceased working. (May be move to oracle broke these)

Anyway could Pietry point out whats the problem with storing hashvalues of the certs for authentication?

[Toast]

2 years since any activity should this idea be rejected due to inactivity ?