On 11/14/13 00:09, sharon wrote:

below :) On 11/12/2013 11:48 PM, Guido Witmond wrote:

...

The world needs to forget passwords as remote identification and move on to client certificates. Preferably, a separate client certificate for each site. It takes only a small browser plug in to make it easy.

Regards, Guido.

hi, off-list.

ive read a bit about your ideas for auth. its interesting. but im not clear on one thing - if were happy with keeping secrets locally, and even letting a browser plug-in read/write them, why not just generate a pgp key pair, with one good password, and use that to keep an encrypted file with lots of randomly generated, strong passwords? that encrypted file can be easily synced across devices, with any regular service, a its encrypted. (or synced manually, privately) and the key pair, should be better protected, manually synced, or for non-paranoid people, with the same service, since thats protected with a good password too. of course, echo "good password"| gpg -d "password file"|grep "service name" could be done with a browser plugin as well. how is that inferior to client certificates? or the the code you wrote to make it happen?

thanks. feel free to reply publicly if you think someone else might also benefit from it.

What you've designed is a classic password manager application, like Lastpass, Keepas. It's a good design for when the site requires a password. However, as every website has their own rules for password, lengths, allowed characters, it makes it a bit of hit and miss whether a certain generated password will be accepted. It would lead to having a list of sites and recipes of what is allowed. It doens't scale. Besides, most sites also require an email address, so anonymity is lost. Client certificates are already implemented in most web servers. It's a one-line setting to accept a certain certificate authority for a site. If that is the Ca of the site owner themselves, it's even easier. The price to pay (for end users) is to have a computer that cannot easily be subverted by malware. Notice that's the same requirement for password managers. I've written about my ideas on client certificates on my site: http://eccentric-authentication.org/ Feel free to ask if anything is not clear Regards, Guido.