PKI for Strong but Anonymous Authentication
Anders Rundgren
eID (Electronic Identity) card schemes the following may be of interest:
If you have an persistent but still anonymous relation with a service provider
your (and the provider's) main interest is that your "account" remains intact.
This should at least be applicable to on-line gaming accounts where you build
virtual fortunes that you even can trade with other players.
Since PKI withstands phishing attacks using TLS client certificate authentication,
PKI is the by far most readily useful authentication solution for this scenario.
However, one must not forget that there is an "account setup phase" where the
user is assigned some kind of virtual identity and a suitable credential. Let's say
that this step has been phished (not hacked in the client because that's another
and much more difficult attack). The worst that could happen is not that the
phisher gets your (so far empty) account; it is that the phisher and you get access
to the *same* account. Using passwords this is unfortunately quite easy.
Using PKI it is virtually *impossible*! How come? Well, if the key-pair is created
by the client and the public key is sent to the provider for "certification" an attacker
gets nowhere by replacing the request or succeeding certificate since you need the
matching private key to actually login.
With this I just wanted to reiterate my claim that any new authentication-something
(=beyond password) won't go anywhere if it doesn't also include good Ol'PKI.
W3C's WebID is another thing pointing in exactly the same direction.
Anders