When encryption is also authentication...
Curt Smith
objectpascal at yahoo.com
Thu May 30 05:16:44 PDT 2002
I concur. The problem is that the most prevalent e-mail
program (Outlook) requires no user intervention as a default
when signing and/or encrypting a message with S/MIME. One can
override the default to "High Security" (requiring password)
only while the X.509 certificate is being installed.
I also agree that alternative authorization mechanisms (or
combination thereof) are entirely appropriate: smartcards,
flashcards, biometric readers, magnetic strips, bar codes, etc.
Different schemes will work provided the hardware is available
and adequate authentication can be assured.
Curt
--- David Howe <DaveHowe at gmx.co.uk> wrote:
> Partially agreed - a user doesn't have to know *how* it
> works, but must have to take a positive step (eg, type in a
> password, answer "yes" to a "are you really sure you want to
> do this" message, that sort of thing) for it to be binding
> under most e-sig legislation. However, the law of contract
> assumes every dotted i and crossed t is read and fully
> understood to the full measure of the law. Enough people get
> caught out this way each year (they find the contract they
> signed isn't what they negotiated but (eg) binds them to a
> full term of service (say, two years) when they wanted a
> three month trial...
> There is a balance to be had here. it should be impossible
> for a random user to walk up to their powered off pc, power
> it on, then sign a document. It should be extremely difficult
> for a random user to walk up to a pc that has been left
> logged on (but which hasn't been used to sign documents for
> five minutes or so) and sign a document; it should be easy
> for the user to sign a large number of documents in rapid
> succession, without having to type in a complex password
> every single time. If this involves remembering the password
> for a specified "idle" time, or using a smartcard to auth
> (rather than a manual password or in addition) that the user
> can remove when he takes a coffee break then fine - but
> whatever you do must almost certainly use no other hardware
> than is already fitted to the machine, so a usb dongle could
> be ok for a home user but a credit-card style smartcard
> almost certainly won't be (although if anyone knows a decent
> floppy-adaptor for smartcards, I would love to know about it)
=====
Curt
end
eof
.
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
More information about the Testlist
mailing list