|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Muscle] muscle getChallenge, versus GP 2 way authentication
From: Peter Williams (home_pw
msn.com)
Date: Thu Mar 17 2005 - 14:57:53 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Now I understand external authentication, with symmetric keys, we can turn
to designing the first of two contemplated changes : (1) require external
auth, merely to gain access to a particular cardedge method, (2) integrate
symmetric-key based ext auth with GP's init_update().
One way to address (1) could be to enable any _method_, that MIGHT be
configured to _require_ *prioir* ext auth, to have an additional keyno
field, in the method call (and wire format). If said keyno value is not
default, the read acl associated with Key[keyno] would be evaluated. Said
acl could require that the same key (now as principal) be currently logged
in, in order to read the key. The acl for the key would be managed as
today. Keys used in this manner (to provide method-level role-based access
control) might be specified in the constructor, or in the format command.
Design-stage comments?
I had an lazy/unprofessional notion also - to use the presence of the keyno
in the 'other' acl associated with Key[keyno] as a configuration signal -
requiring that any method subject to read-time controls now protect the
method's results, using said key (using some process).
I thinking also of requiring that the keys in Key[] are ordered - checked
with manufacturing/format time controls - with all ext.auth keys being
earlier in the array than any type of Key instance.
My only qualm with these minimialist-style changes is that we are really
not upgrading for the entire range of the real problem being addressed : 2
and n-factor authentication requirements, to acess a method (or object).
For example, a host driver might be required to complete ext-auth, the CO
might be required to bio-authentication, and the user shall be required to
present the old pin, during user pin update.
_______________________________________________
Muscle mailing list
Musclelists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]