[foaf-dev] Re: RDFAuth: an initial sketch
Renato Golin
renato at ebi.ac.uk
Fri Mar 28 12:52:15 GMT 2008
Benjamin Nowack wrote:
> Hmm, ok, but wouldn't users also have to upload a private key
> to my server? And my app would have to send the private key
> to the encryption service, which I guess isn't too cool either.
Hi Benjamin,
Absolutely not! That's not acceptable under any circumstances,
especially when designing a (secure) authentication system... ;)
Your private key remains in your machine always because only you can
start requests with your private key anyway. There are some key managers
on KDE and Gnome and Thunderbird as well.
Because it's always you initiating the connection you can encrypt the
text and send only C(text) instead of require the server to generate it
for you.
You could easily transport those keys (under an even greater security)
from one computer to the other but I'd never recommend anyone to upload
private keys anywhere, even if the server says "it's safe and encrypted".
cheers,
--renato
More information about the foaf-dev
mailing list