[Previous] [Next] [Index]
[Thread]
SSL vs PCT Client Authentication Issues
1. Comparison
Client authentication is done with the client's private key in SSL which
otherwise does not come into the communication link. In that sense
there is no improvement with PCT. SSL satisfies the main components
of that process.
2. Operation
a) Legal Proof
We use a signed instruction as a sequence of characters to legally
prove authentication which is communicated down the secure
channel. This sequence of characters, however, stands alone and
does not require a secure channel.
b) Mechanism
Simply squirting in the client private key at the initiation of the SSL
link would require the key to be available to the browser. We prefer
this to be only temporary. (ie key is loaded from floppy together with
encryption password of key. Signed Instruction is Generated, Key is
memsetted out of existance in memory.)
If no contracts are being established by the secure channel we are
happy enough to allow password security to establish client authentication.
ie you can look up your bank statement, flight availability, portfolio
with the password/user id. But you cannot buy/sell anything without
a signed instruction.