[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Auth]First thoughts on authorization
|
From: |
Gordon Hanson |
|
Subject: |
[Auth]First thoughts on authorization |
|
Date: |
Wed, 11 Jul 2001 15:26:22 -0500 |
My initial thoughts were that a completely decentralized system could not be
developed. but as I think about it the real
world works as a decentralized trust relationship thingy.
example:
I go to a store and wish to purchase some widgets. I write a check, and the
clerk wants some ID (a token of
identification from a third party). The clerk checks the store's official list
of trusted identification authorities and allows (or
dissallows) the check. I then leave (or don't) with my widgets.
in this case a token (my drivers license, credit card, or other ID card) was
used to prove that I was who I said I was. the
same concept can be used here for virtual authentication. eg. I ask server A
for a restricted service, and server A and
my computer negotiate what an acceptable identification authority is. then
server A contacts the ID-Authority and
sends it a random string encoded with ID-Authorities public key. the
ID-Authority decodes the string, and then sends it
to my computer encoded with the public key that was set up previously, and I
decode it and send it back to server A,
thereby proving that I am who I say I am (based on the fact that I have logged
in with my pass phrase.)
this is only one type of authentication, and does not preclude others, either
more simple or complex.
any comments?
Gord
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Auth]First thoughts on authorization,
Gordon Hanson <=