Tuesday, January 01, 2002

Two interesting articles from Jon Udell:
The Event-Driven Internet
Digital IDs, Privacy, and Freedom - The Rules for a "Certificate-Rich" World Aren't Yet Written

Rich Kilmer: "I just picked up three new Java iButtons, and three USB readers that look to the OS like smart card readers. They have a Win2000 login integration, and a great Java API (to JavaCard 2.0). The Java iButtons do 1024-bit RSA key generation/signing, SHA-1 hashing, and triple-DES encryption. They can store 30 X.509v3 certs with 1024 bit keys (and/or hundreds of usernames and passwords). You can write apps that run on the iButtons (like wallets) and they can communication to a desktop (or PDA) app. If I were AOL I'd send one of these to every one of my users and blow MS Passport away!"

I've been working on web-based SSO (single-sign on) for two years now. I don't believe that the whole world will ever trust a single Microsoft SSO system. Federation of different SSO systems sounds nice in theory, but has lots of trust and implementation problems, too. I still believe that digital certificates are the right solution. However they should not be stored in my computer, I should rather be able to physically carry them around with me. This requires a hardware solution like the one Rich described above. I wonder if ProjectLiberty will go into this direction ...