Authentication on the Internet (bogus emails looking for money)
Alan Johnson
alan at datdec.com
Tue Apr 27 17:51:25 EDT 2010
On Tue, Apr 27, 2010 at 5:26 PM, Lloyd Kvam <lkvam at venix.com> wrote:
> Do you think it is hopeless trying to educate users to import a
> certificate and protect it with a pass phrase?
>
Yes, see #5:
http://www.ranum.com/security/computer_security/editorials/dumb/
However, that's not to say you can't offer them options, but you can't count
on them not posting whatever private key/password they use on Facebook. A
good sys admin assumes dumb users because it only takes one dumb move to
compromise your security and we all make dumb moves some times, users and
admins, smart and dumb a like.
Also, if you make the cert your only option, then the substantial question
is not about the reliability of your users, but their willingness to
overcome potential barriers to use your service. I.e, it depends on your
audience.
Personally, I like the open id concept. Assuming you have a secure
provider, and a secure password/cert with them, I think this offers the best
balance of convenience and security. No reason your users should complain
if you offer plane old password, cert auth, and open id, but you might find
some reason to complain about maintaining them all. I don't know.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20100427/7ff39032/attachment.html
More information about the gnhlug-discuss
mailing list