Re: [Auth]Authorization Certificates

[Jeremy Petzold]

I don't have a firm grasp on trust matrix theory, but
what if you look at it as local areas of trust.

example, business A has a local area of trust, and
business B has a local area of trust.

for a user to gain access to Business A's area of
trust, that user  needs to register with them (i.e.
some way that Business A can validate  the user next
time that user trys to enter the A's area of trust, a
username/password is how it is done right now.)

then lets say the user wants to go over to business B,
that user needs to register with this Business still
so he can not enter the area of trust without doing
so.

all of this registration can be done transparently
through our system by way of the passport replacment
(what ever we call it) so that the end user just
clicks on the site, authorises the pop-up box that
asks them if it is ok to register with this website.
when they register with the site, they only send a
username, password, and perhaps a key or certificate.
this must be done in order for any business
transactions to take place, then when the user clicks
to buy a book at bn.com, the cc#,shipping address and
billing address are sent, along with the little survey
info they ask for and then at the end of the RLS
string (or whatever we use) the key or certificate
that the user is registered with. that will act as the
digital signiture, this validates the user who has
already loged in to the trusted environment with
username/Password, the key/certificate just acts as
one more level of trust to validate against. (and of
course this this key/certificate would be encrypted)

do I make sence, and is this at all near what we need
or is this wide open to crackers?

-Jeremy

--- Adam Theo <address@hidden> wrote:
> hello, and thank you for the comment.
> 
> I can understand your belief that a WoT can only
> work with individuals
> with similar interests and community, but I must
> suggest this is not
> neccisarily the case, if done intelligently.
> 
> I understand it is important to recognize the
> differences, and therefore
> differences in requirements, between different types
> of 'entities' in a
> WoT. trying to treat all of them the exact same way
> will only lead to
> confusion and a system which does not accurately
> describe 'trust' or
> help users use the system.
> 
> But by keeping in mind, and designing for, these
> differences in needs
> and natures of entities, I think we can create a WoT
> that really works.
> 
> I am working on an example, but it might be a few
> days.
> _______________________________________________
> Auth mailing list
> address@hidden
> http://dotgnu.org/mailman/listinfo/auth


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/