When a GPU training server gets compromised, the first question is always: what credentials were on that box, and where could they go? SSH keys scattered across hundreds of nodes. Service accounts with static secrets. Nobody knows exactly what exists on which machines.
Hardware-attested credentials eliminate this question. Credentials bound to verified hardware cannot be extracted or moved. The trust anchor is silicon, not software.
Interesting concept! For the JS snippet, what's the performance impact? I've had some past experiences with third-party scripts slowing down our page loads
In the same way a self-signed certificate doesn't need to be signed by an official root of trust to be useful for authentication, a self-signed Personal CA doesn't need to be signed or cross-signed by another CA to be trusted by a server.
I'm a little confused, can you help me understand something?
Assume you created a self-signed personal certificate and you use that to sign your emails.
What if I make a self-signed cert claiming to be you, and create an email address nmelo@gmail.com.
How would someone know which one to trust if there wasn't a third party to verify youre the real nmelo? Websites do this with trusted CA roots on their browsers.
Going back further, business do it with services like Dun & Bradstreet.
Absolutely. The important part is that certificates don't necessarily need to encode any personal information to be immediately useful as a factor of authentication.
The fact that a person controls the private key associated with the certificate should be enough to allow any given server to trust the certificate, if they have enough confidence that the private key is being securely stored by the user.
Now extend that to a personal certificate authority. As long as the server is able to trust that the Root Certificate, and any Intermediates certs in that CA are controlled by the user, they should be able to trust certificates signed by that CA to authenticate that person.
Thanks for explaining, would you mind answering a follow-up?
> the fact that a person controls the private key associated with the certificate should be enough
Going back to my example, of you and I both claiming to be the same person with our certificates, us both having a private key doesn't solve this problem. Who authenticates who is the real person? Or is that not the point of certificates?
> if they have enough confidence that the private key is being securely stored by the user
Or... is it that a self-signed cert just proves who owns the private key, and I'm putting to much into what a cert is supposed to be?
> and any Intermediates certs in that CA are controlled by the user,
ah, ok, so I can act as my own CA because I have the private key for the root of trust.
So why is he relevant to "the Future of Authentication"?
I could see Martin Hellman being relevant, maybe. But there's no real substance in this piece, certainly not from Jermoluk. What I got out of it is that PKI is the answer. As I think DNS-based PKI is the answer, I think he's not too far, but he's probably selling something I don't need or want.
CommandScape is a startup in South Florida with working to provide fully secure integrated Building Management Systems (Automated Buildings and Homes). The company is building advanced hardware and software systems that use Internet-standard cyber security throughout to manage, monitor, and automate the essential needs of a commercial building or private residence. The products employ a single suite of intuitive and easy-to-use applications that work transparently and securely from anywhere in the world.
Hardware-attested credentials eliminate this question. Credentials bound to verified hardware cannot be extracted or moved. The trust anchor is silicon, not software.