On Tue, Sep 21, 2004 at 06:41:21PM -0400, Meng Weng Wong wrote:
If we consider "please swipe employee pass to gain entry to
building" as an example of authentication scheme, you can
make the same claims that swiping an employee pass is not
actually an authentication scheme, because maybe a bad guy
stole your pass and is swiping it instead of you.
I am. It is an authorization scheme.
First of all: nothing is 100% secure.
A swipe card is a key. It is anonymous.
In your example, the company has sufficient trust in its employees.
They will handle the card with care and will report when stolen.
Still, the only thing they can say is: "Your key was used". They
cannot say "We are 100% sure it was you entering the building".
This is especially true when the card was reported stolen.
To authenticate the holder, other means are necessary. The good old
"something you have, something you know" principle. And even knowledge
can be stolen (think evesdropping, think hold-ups).
SPF on a shared computer (think ISP) is like having a swipe
card hanging on a rope next to the card reader. It proves nothing,
except that the swipe card was used to enter the building.
Alex
--
I ask you to respect any "Reply-To" and "Mail-Follow-Up" headers. If
you reply to me off-list, you'd better tell me you're doing so. If
you don't, and if I reply to the list, that's your problem, not mine.