Sunday, 7 October 2007

So, who are you?

In this ever-increasing online world, we are all told how careful we must be when visiting web sites and giving our personal data. Are we sure the site really is our bank and not someone trying to get our account details, etc.
For a membership system, I am looking at the reverse situation. How can I trust that the person who is logging in really is who they say they are? This has led me to the "web of Trust" started by users of the PGP encryption system. I want to make certain, or as certain as I can, that only those who have permission can view or update records remotely. Problem is that PGP signing is used on email messages, not to authenticate access to web sites.
So how do we check someone when we can't see them? Do you, dear reader, implicitly trust every email that you receive just because you recognize the sender's name?
This is ongoing research, and I have no final answers yet.

No comments: