On 07/19/2012 03:41 PM, Ross Nicoll wrote: > I'm guessing the idea would be to write an HTTP authentication protocol > that uses public-key pairs, so a user can confirm they have a secret > piece of information (the private key) Fine idea:-) [1] > without having to actually share > it to do so, or by using a smaller number of authentication providers > (for example Twitter, Facebook, Google) so they handle the password, and > the site only gets confirmation from a trusted source that you are who > you say you are. But [1] is just one of the proposed new auth schemes [2] some of which are more like you last bit above. S. [1] http://tools.ietf.org/html/draft-farrell-httpbis-hoba [2] http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HttpAuthProposals > > > On 19/07/2012 15:32, Poul-Henning Kamp wrote: >> In message >> <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com> >> , Phillip Hallam-Baker writes: >> >>> My biggest Web security concern is not the risk of passwords being >>> intercepted on the wire, its the fact that users have no practical >>> alternative to using the same password for the 100+ sites they use >>> that demand one. >> I have a hard time seeing how that can be solved at the HTTP protocol >> level ? >> > > > >Received on Thursday, 19 July 2012 14:47:49 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 19 July 2012 14:47:58 GMT