Coda File System

Re: global identities name space?

From: Stephen J. Turnbull <stephen_at_xemacs.org>
Date: Thu, 22 Jan 2004 18:19:31 +0900
>>>>> "Ivan" == Ivan Popov <pin_at_medic.chalmers.se> writes:

    >> I would say SSH _is_ an authentication service that happens to
    >> also provide remote login and remote file access as typical
    >> applications.

    Ivan> Huh? How can I use ssh to verify authenticity of a client
    Ivan> for some other service than remote login? Say music
    Ivan> distribution over http, to name one...

When they sign the contract for the music service, you ask them for
their SSH public key and they access the service via SSH
port-forwarding.  I haven't tried this with generic TCP ports like
HTTP, but works fine with X11.

    Ivan> It does not export the authentication via an API or via a
    Ivan> feasible protocol.

I don't understand what "export an authentication" means in the
context of self-authenticating IDs like a public key.  Ie, you wrote
"Then instead of applying for an identity (name and password) at say
CMU, I'd simply ask for allowing login+ftp+... access for my Chalmers
account."  But this is in practice how we use SSH at cvs.xemacs.org!
Except that we substitute "personal SSH public key" for "Chalmers
account".

Also, "As soon as my authentication authorities are exported in a
global fashion, they become useful for all who trust my security
procedures."  But this isn't authentication, it's certification.  I
don't see what you can do with your "global token" that can't be done
by calling up Chalmers (by any convenient and "sufficiently secure"
protocol) and asking if such and such a public key is registered with
their certification authority.

Also, it looks to me like the global token is less secure against a
subverted certification authority, who can basically masquerade as
anybody unless you do a separate personal authentication.

-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.
Received on 2004-01-22 04:24:54