> From: Dick Hardt [mailto:[EMAIL PROTECTED]
> On 27-Feb-06, at 10:19 AM, Hallam-Baker, Phillip wrote: > > If you decide that you are going to use PKI as your authentication > > mechanism then you can make dramatic simplifications in your > > authentication protocol. Inband authentication can be effectively > > reduced to a two party protocol between the user and the relying > > party. > > I presume from your use of AuthN above that you are thinking > of how hosts authenticate, since currently available users > are still not capable of performing PK operations. True, but users are not capable of doing TCP/IP either. Perhaps after Kurzweil's singularity we will get the relevant implants. Most user's machines are quire capable of doing PKI today. SSL Client auth is practically universal. The user interface is shockingly bad but the code is certainly there. > I think it is important to be able to use other > authentication methods besides PKI for hosts. > > eg. DNS mapping a hostname to an IP that data is retrieved > from is a very light weight AuthN mechanism for a host, > albeit primarily suited for low risk transactions. I agree that we need other forms of AuthN of people to machines. But once we are passing along second degree assertions between machines every other form of authentication is second best. _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
