- From: Ross Nicoll <jrn@jrn.me.uk>
- Date: Thu, 19 Jul 2012 15:41:15 +0100
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- CC: Phillip Hallam-Baker <hallam@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
I'm guessing the idea would be to write an HTTP authentication protocol that uses public-key pairs, so a user can confirm they have a secret piece of information (the private key) without having to actually share it to do so, or by using a smaller number of authentication providers (for example Twitter, Facebook, Google) so they handle the password, and the site only gets confirmation from a trusted source that you are who you say you are. On 19/07/2012 15:32, Poul-Henning Kamp wrote: > In message <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com> > , Phillip Hallam-Baker writes: > >> My biggest Web security concern is not the risk of passwords being >> intercepted on the wire, its the fact that users have no practical >> alternative to using the same password for the 100+ sites they use >> that demand one. > I have a hard time seeing how that can be solved at the HTTP protocol > level ? >
Received on Thursday, 19 July 2012 14:41:41 UTC