Wednesday, August 2, 2006
Schneier posted a comment today in his blog about an idea from Dave Piscitello mentioned in the Firewall Wizards mail-list. Dave says that besides the already known concepts Authentication, Authorization, Availability and Authenticity, there is also need for "admissibility". This concept is related to the trustiness of the other endpoint of the connection (like if it's free from keyloggers). Initially I thought it might be just a different way to understand different aspects of the other concepts, but now I think it really makes sense. I like these out of the box discussions about basic concepts, I believe that big evolutions born from them.With the 5 properties vision it's clear that two-factor authentication is not enough (it does not deal with admissibility) to solve the problem of Internet Banking sessions security. Good example of applicability.