Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I want to develop a system, something like a comment system for a website, that

ID: 661250 • Letter: I

Question

I want to develop a system, something like a comment system for a website, that ensures I know who is posting comments. The content that is exchanged is not valuable and does not need to be encrypted, I just want to have a some reasonable assurance that the person posting the comment is in fact who they say they are. If a post is spam for example, I want to be able to hold the person accountable. At the same time I need the system to be low overhead for users. For example giving them a list of 100 one time phrases that would have to be pasted into an email or onto a website would be acceptable.

I am using node.js and was considering using a diffie-hellman key-exchange.

I know this is fuzzy and I'm not looking for answers per se, but rather a way to think about it, an example or starting point or ... ?

Explanation / Answer

A strong authentication mechanism that is easy for the user and provides reasonable assurance would be to stand up a CA that is not trusted by anyone other than your application. Issue each user a certificate with their UPN as the only entry in the SAN extension. Configure your application to authenticate the user via their certificate, and instruct each user to install the certificate in their key-store with an unexportable private key (in Windows CAPI, this is one check-box; in JKS, it is automatic; not sure how FF or Chrome do this on non-Windows platforms).

Since only the holder of the private key can get access, they have proven themself to be the person on-record, or that the person on-record was sloppy with protecting their private key. Revocation means your application can see if someone was disabled very easily, just by OCSP request. The RSA key-pair is stronger than any password, and you don't have to store their private key or any form or derivation of their password, so attacking you does not get an adversary access to your users. Built in expiration dates mean you have an effective enforced password rotation mechanism.

Provide an easy way for a user to request revocation and replacement

Related Questions

I want to check my answer (my professor is a stickler) and was hoping to get a s
Question #1940812
I want to check my answers against someone who really knows! Thanks What is the
Question #831028
I want to check my answers and make sure this is correct. I am questioning a cou
Question #3059597
I want to check my answers to these problems? 1. What is the pH of solution when
Question #679207
I want to clear on a concept Dorsal horn sends info to the antereolateral system
Question #206062
I want to collect all the names from table Bookings and WaitingList for a specif
Question #3832513
I want to compare the sorting speed in java and c++ using an array. I have a pro
Question #3748014
I want to compile custom functions during run time based on user written scripts
Question #654652
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I want to develop a mobile bank app (windows phone, android, ios) that interact
Next
I want to develop an application that will allow a user to create a public/priva

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.