LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The coming Web security woes (News.com)

The coming Web security woes (News.com)

Posted Jul 12, 2005 16:57 UTC (Tue) by bronson (subscriber, #4806)
In reply to: The coming Web security woes (News.com) by jwb
Parent article: The coming Web security woes (News.com)

Can you point to the section of RFC 2246 that talks about SSL's smart card challenge/response protocol? I must have missed that.

I also agree with dlang that poor smart cards will actually make security *worse* instead of better. Bruce Schneier has written more skillfully on this topic than I could hope to. Unfortunately I can't find the article right now... Maybe it was in Secrets & Lies?

(Log in to post comments)

The coming Web security woes (News.com)

Posted Jul 12, 2005 17:05 UTC (Tue) by jwb (subscriber, #15467) [Link]

SSL is agnostic regarding the type of cryptographic device being used at each end. The standard which allows a smartcard to take part in an SSL connection is called PKCS #11.

And, trying to bring the discussion back into the wind, I would like to point out that this topic does not involve security. We are (were) talking about means by which a website like LWN could hand out accounts without collecting email address information about the account holders, thereby avoiding the consequences of the proposed law mentioned in the article.

The coming Web security woes (News.com)

Posted Jul 12, 2005 18:39 UTC (Tue) by man_ls (subscriber, #15091) [Link]

We are (were) talking about means by which a website like LWN could hand out accounts without collecting email address information about the account holders
To be honest, I missed that part. I thought you just didn't want to have to remember and manage all those passwords, and you wanted to use your smartcard to authenticate. Ok, this changes the scope of the problem significantly.

From the point of view of a site like LWN, it's probably easy to just store tokens (in this case cryptographic keys) associated to usernames. But frankly, what is the point? Passwords are just as good for tokens, username + password works just as well; the email address bit is just for verification and notification. So, keep it as it is now, and just discard the email address once the verification is complete. No notification for you US citizens.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds