SSL vs PCT Client Authentication Issues

• To: www-security@ns2.rutgers.edu
• Subject: SSL vs PCT Client Authentication Issues
• From: "John Hemming CEO MarketNet" <JohnHemming@mkn.co.uk>
• Date: Tue, 03 Oct 1995 08:22:08 AM PDT

1. Comparison

Client authentication is done with the client's private key in SSL which
otherwise does not come into the communication link.  In that sense
there is no improvement with PCT.  SSL satisfies the main components
of that process.

2. Operation

a) Legal Proof
    We use a signed instruction as a sequence of characters to legally 
    prove authentication which is communicated down the secure 
    channel.  This sequence of characters, however, stands alone and
    does not require a secure channel.

b) Mechanism
    Simply squirting in the client private key at the initiation of the SSL
    link would require the key to be available to the browser.  We prefer
    this to be only temporary.  (ie key is loaded from floppy together with
    encryption password of key. Signed Instruction is Generated, Key is
    memsetted out of existance in memory.)

    If no contracts are being established by the secure channel we are
    happy enough to allow password security to establish client authentication.

    ie you can look up your bank statement, flight availability, portfolio
    with the password/user id.  But you cannot buy/sell anything without
    a signed instruction.

• Previous: Re: NetScape's dependence upon RSA down for the count!
• Next: RE: Private Communication Technology (PCT) secure channel p
• Index(es):
  • Index
  • Thread