> From: John Merrells [mailto:[EMAIL PROTECTED]
> The environment for WS-* seems different. Economically it's a > two party platform... the desktop and the server... but > Microsoft can leverage it's installed base and development > tools to make sure it's at both ends everywhere. That depends on how you look at the problem... If you decide that you are going to use PKI as your authentication mechanism then you can make dramatic simplifications in your authentication protocol. Inband authentication can be effectively reduced to a two party protocol between the user and the relying party. There is still a third party involved but the involvement is now implicit. The credential issuer is an indirect party that in theory at least does not participate in the communication flow. In practice you are very likely to be using online revocation, which is even more vital for end user credentials than SSL certs. Adding self signed credentials is useful but only to a point, I suspect that in practice relying parties will want to authenticate the email address at least. Both to reduce spam and to allow credentials to be replaced if necessary. Self signed certificates do have uses, but how do I recover from a stolen laptop if the only way a site recognizes me is through a self signed cert with no other attributes? How do I reclaim my identity? How do I stop another using it? Infocard is great but I still want a solution that works as a secure drop in replacement for username/password without being limited to that. I would rather the ten year out solution be that everyone implements WS-* plus legacy DIX than everyone implements WS_* but there is still a huge amount of ad-hoc password registration for traditional username/password _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
