(Illustration by Gaich Muramatsu)
>>>>> "Ivan" == Ivan Popov <pin_at_medic.chalmers.se> writes: >> I would say SSH _is_ an authentication service that happens to >> also provide remote login and remote file access as typical >> applications. Ivan> Huh? How can I use ssh to verify authenticity of a client Ivan> for some other service than remote login? Say music Ivan> distribution over http, to name one... When they sign the contract for the music service, you ask them for their SSH public key and they access the service via SSH port-forwarding. I haven't tried this with generic TCP ports like HTTP, but works fine with X11. Ivan> It does not export the authentication via an API or via a Ivan> feasible protocol. I don't understand what "export an authentication" means in the context of self-authenticating IDs like a public key. Ie, you wrote "Then instead of applying for an identity (name and password) at say CMU, I'd simply ask for allowing login+ftp+... access for my Chalmers account." But this is in practice how we use SSH at cvs.xemacs.org! Except that we substitute "personal SSH public key" for "Chalmers account". Also, "As soon as my authentication authorities are exported in a global fashion, they become useful for all who trust my security procedures." But this isn't authentication, it's certification. I don't see what you can do with your "global token" that can't be done by calling up Chalmers (by any convenient and "sufficiently secure" protocol) and asking if such and such a public key is registered with their certification authority. Also, it looks to me like the global token is less secure against a subverted certification authority, who can basically masquerade as anybody unless you do a separate personal authentication. -- Institute of Policy and Planning Sciences http://turnbull.sk.tsukuba.ac.jp University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can "do" free software business; ask what your business can "do for" free software.Received on 2004-01-22 04:24:54