User-centric PKI

Symposium on Identity and Trust on the Internet Pub Date : 2008-03-04 DOI:10.1145/1373290.1373300

R. Perlman, C. Kaufman

{"title":"User-centric PKI","authors":"R. Perlman, C. Kaufman","doi":"10.1145/1373290.1373300","DOIUrl":null,"url":null,"abstract":"The goal of supporting Single Sign-On to the Web has proven elusive. A number of solutions have been proposed -- and some have even been deployed -- but the capability remains unavailable to most users and the solutions deployed raise concerns for both convenience and security. In this paper, we enumerate desirable attributes in a scheme for authenticating from an Internet browser to a web site and the authorization that follows. We categorize the currently deployed or advocated approaches, describing their benefits and issues, and we suggest incremental improvements to such schemes. We then outline a design for public-key based authentication particularly suited to what we believe to be the common case: users, acting on their own behalf (as opposed to as an employee of an organization), performing actions on the web such as making a purchase or maintaining an account at a service provider. We contrast the usability/privacy/security properties of our design with other identity management/authentication schemes deployed or being proposed today. Our design is truly user-centric, in the sense that the user acts as his own CA, and as a decision point for authorizing release of user information to web sites, rather than having an Identity Provider be the center of trust.","PeriodicalId":269454,"journal":{"name":"Symposium on Identity and Trust on the Internet","volume":"28 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Symposium on Identity and Trust on the Internet","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1373290.1373300","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 11

Abstract

The goal of supporting Single Sign-On to the Web has proven elusive. A number of solutions have been proposed -- and some have even been deployed -- but the capability remains unavailable to most users and the solutions deployed raise concerns for both convenience and security. In this paper, we enumerate desirable attributes in a scheme for authenticating from an Internet browser to a web site and the authorization that follows. We categorize the currently deployed or advocated approaches, describing their benefits and issues, and we suggest incremental improvements to such schemes. We then outline a design for public-key based authentication particularly suited to what we believe to be the common case: users, acting on their own behalf (as opposed to as an employee of an organization), performing actions on the web such as making a purchase or maintaining an account at a service provider. We contrast the usability/privacy/security properties of our design with other identity management/authentication schemes deployed or being proposed today. Our design is truly user-centric, in the sense that the user acts as his own CA, and as a decision point for authorizing release of user information to web sites, rather than having an Identity Provider be the center of trust.

查看原文本刊更多论文

以用户为中心的PKI

事实证明，支持Web单点登录的目标是难以实现的。已经提出了许多解决方案，有些甚至已经部署，但是大多数用户仍然无法使用该功能，并且部署的解决方案引起了对便利性和安全性的担忧。在本文中，我们列举了从Internet浏览器到web站点的身份验证方案以及随后的授权的理想属性。我们对目前部署或提倡的方法进行了分类，描述了它们的好处和问题，并建议对这些方案进行渐进式改进。然后，我们概述了一种基于公钥的身份验证设计，特别适合于我们认为最常见的情况:用户代表他们自己(而不是作为组织的雇员)在web上执行操作，例如在服务提供商处进行购买或维护帐户。我们将我们设计的可用性/隐私性/安全性与目前部署或提出的其他身份管理/身份验证方案进行了对比。我们的设计是真正以用户为中心的，从某种意义上说，用户充当他自己的CA，并作为授权向网站发布用户信息的决策点，而不是让身份提供者成为信任的中心。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Symposium on Identity and Trust on the Internet

自引率

0.00%

发文量