Biometric UEUE Digression -- WAS: Re: [thesite] UEUE v.0.2 Update

Mark Nickel mnickel at new.rr.com
Thu Nov 8 09:31:22 CST 2001 

> retinal scan based ldap authentication perhaps? just a thought here, but
> would a thing like this work at all?:

Heck yea!


> user goes to dan.evolt.org with X cookie(probably md5'd). dan.evolt.org
> grabs cookie, sends it via xml over local signed ssl certs to
> ueue.evolt.org. ueue.evolt.org assesses cookie, and sends a 'yes' or
> 'no' back to dan.evolt.org saying, 'user is cool with these
> credentials'. inter-server communication would be xml packets encrypted
> via locally signed certs. or better yet, ldap over ssl. just some
> thoughts at 10:30 at night aftera  six pack :)

Actually, evolt member's computer has a biometic input device that is the passkey to
their digital certificate signed by evolt.org and issued to the evolt member. When
the user logs on to their system, the digital cert. keyring is opened and ready for
use.

when the user goes to dan.evolt.org, the digital cert. is passed to the server, the
server sends the digital cert over xml/ssl/gpg to ueue.evolt.org to which checks the
digital cert. for validity with the digital cert. server (basically X.509/LDAP) and
returns their user profile to dan.evolt.org or failure..  dan.evolt.org sets a
cookie to maintain session state with the user and checks the digital cert., each
http request.  Because dan.evolt.org knows its a good cert. since ueue.evolt.org
said so, dan.evolt.org can trust the user's digital cert. and won't need to interact
with ueue.evolt.org unless profile information would need to be updated!!! :)

sw33t!

Token-based 1 time password generators would work almost as well... :)

Biometrics are *almost* as sexy as Nano-tech, but not quite.. :)


> ya, greg was telling me about that.. heard the FBI guy pretty much
> bashed MS and sent the MS folks scurrying - not to address their
> problems but - to find holes in open source packages. "Well he said our
> solutions are insecure, but look at how insecure X open source software
> is!!!!!!"

And scurry they did!!!  I literally heard mouths drop open and hands slap foreheads
throughout his presentation from MS shops trying to remember if they've got the
latest patches...

Without saying anything direct, he basically said the Open Source applications were
generally more secure because the peer review process kept things honest...

I thought, though, several of his comments were *VERY* inappropiate and not very
Politically Correct...

But he mentioned Bastelle linux on his home servers... OOOoOOooooo  :)

He also slammed local security consulting groups that don't partner with law
enforcement... Calling those shops "security boutiques"  I'm hoping he wasn't
including Sun Tzu in that grouping... They seem bright.

w3rd... going to bed.
Mark

>
> wish i coulda been there, sorry for that uncalled for giddyness :)
>
> .djc.
>
> _______________________________________________
> For unsubscribe, archive, and options, go to:
> http://lists.evolt.org/mailman/listinfo/thesite

--
"Caution: Cape does not enable user to fly."

-Batman costume warning label

More information about the thesite mailing list