minor addenda ... ref: http://www.garlic.com/~lynn/aadsm19.htm#1 Do You Need a Digital ID? http://www.garlic.com/~lynn/aadsm19.htm#2 Do You Need a Digital ID?
there are 2nd order implementations of public/private key authentication business process where keeping the private key private might involve
* keeping the private key in an encrypted file and a pin/password is required to decrypt a file. this could be considered a possibly weak form of two-factor authentication: 1) possession of the encrypted file and 2) possession of the key to decrypt the file (it may in fact be considered so weak that many might considerd it only one-factor authentication, the knowledge of the key to decrypt the file).
* keeping the private key in a token ... where the characteristics of the private key and the token holding the private key are taken as equivalent. the simple token/private-key equivalence is then one-factor "something you have" authentication ... aka a) digital signature is an expression of access and use of the private key and b) access and use of the private key is an expression of the possession of the token.
* a private key token that requires PIN and/or biometrics to operate in specific manner ... a relying party with business process certification of the private key only existing in a specific token and that the specific token is also certified as to requiring specific PIN and/or biometrics then possibly the relying party can assume some form of two factor authentication (or even three factor authentication); the digital signature is an expression of the access and use of the private key, the access and use of the private is an expression of a combination of a) possession of a specific hardware token, b) corresponding PIN for that specific hardware token to operate in a specific manner and/or c) biometric for that specific hardware token to operate in a specific manner.
note in the old fashion identity digital certificates from the early 90s ... there was frequently little or no discussion as to the integrity requirements regarding the ability to access and use a specific private key (which is what the whole private/public key business process is fundamentally built on). there was frequently lots of documentation on what a certification authority might do in the integrity around the generation of an identity digital certificate .... but very little or nothing about what the key owner was required to do in order to enable the whole fundamental public/private key business process to operate correctly.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
