[sldev] OpenID vs. current proposal vis a vis security
Dale Glass
dale at daleglass.net
Sun Sep 30 06:57:42 PDT 2007
On Sunday 30 September 2007 14:10:32 Kamilion wrote:
> Well, I've got an idea.
>
> I've just been sitting here, reading all this discussion on this
> authentication scheme, and then I went to go log into my linux box
> with putty, and it hit me.
>
> SSH has a pretty freakin' good public/private key system.
>
> How feasible would it be to generate a SSH-like private and public key
> for each account based on it's current password as the passphrase?
For proper security you wouldn't want to do that. Generating the passphrase
based on the password means it'd be some server inside of LL that would do
that.
The proper approach is different: The client generates the private and
public key, set whatever passphrase they wish, then get the server to
trust their public key.
But anyway, why do this when SSL certificates would be a much simpler way
of doing it? That doesn't require extracting anything from OpenSSH, the
code is in OpenSSL already.
> This also solves the problem of logging in at an internet cafe or a
> friend's place, with a simple addition of one-time-use keys, even
> allowing a different pgpgkeys: key F879BDD8F565AED4 not found on
> keyserver assword for a OTU pair.
No it doesn't.
To log in at the cafe, you need to provide your PRIVATE key. You need to
provide it to a potentially insecure or even maliciously set up computer.
Which then can promptly grab your key and record your passphrase with a
keylogger.
Then even if this made auth safe, it still has the same problem: You're at
an untrusted box, which may have a trojaned viewer, or may modify the copy
you bring, etc. Then it can transfer all your L$ as soon as you log in.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20070930/2816c807/attachment.pgp
More information about the SLDev
mailing list