Re: Discussion of Mandatory TLS in HTTP/2.0

I'm guessing the idea would be to write an HTTP authentication protocol 
that uses public-key pairs, so a user can confirm they have a secret 
piece of information (the private key) without having to actually share 
it to do so, or by using a smaller number of authentication providers 
(for example Twitter, Facebook, Google) so they handle the password, and 
the site only gets confirmation from a trusted source that you are who 
you say you are.


On 19/07/2012 15:32, Poul-Henning Kamp wrote:
> In message <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com>
> , Phillip Hallam-Baker writes:
>
>> My biggest Web security concern is not the risk of passwords being
>> intercepted on the wire, its the fact that users have no practical
>> alternative to using the same password for the 100+ sites they use
>> that demand one.
> I have a hard time seeing how that can be solved at the HTTP protocol
> level ?
>

Received on Thursday, 19 July 2012 14:41:41 UTC