Posted by Sanders Kaufman on 09/05/07 13:00

C. wrote:
> On 5 Sep, 11:00, Sanders Kaufman <bu...@kaufman.net> wrote:

>> It can be done, but it's a monumental task that duplicates processes
>> already established in the industry.
>>
>> It's called Public Key Encryption.
>>
>
> 1) that's not really the solution to the OP's problem - presumably he
> doesn't control the remote end to get the authentication system re-
> written. The only sensible reason for using a 13 digit single use
> password is to prevent leeching - it should be *very* straightforward
> to strip this from the responses - I don't understand why the OP
> thinks it's a problem.


Because it puts the "secret code" in the HTML for the client's browser -
effectively publishing it to the world.

The kind of security he's asking for is not possible. To solve his
problem, he'll have to ditch his current method, and implement a PK
scheme of some sort.


> 2) Client side certificates are *not* a monumental task - they're very
> easy to implement - not least because of the likes of cacert.org
> providing a free CA service.

No - that's not monumental.
But rolling your own CA system would be.
The hardest part would probably be negotiating a partnership agreement
with Dow Jones.

[Back to original message]