- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 19 Jul 2012 15:47:06 +0100
- To: Ross Nicoll <jrn@jrn.me.uk>
- CC: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phillip Hallam-Baker <hallam@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 07/19/2012 03:41 PM, Ross Nicoll wrote: > I'm guessing the idea would be to write an HTTP authentication protocol > that uses public-key pairs, so a user can confirm they have a secret > piece of information (the private key) Fine idea:-) [1] > without having to actually share > it to do so, or by using a smaller number of authentication providers > (for example Twitter, Facebook, Google) so they handle the password, and > the site only gets confirmation from a trusted source that you are who > you say you are. But [1] is just one of the proposed new auth schemes [2] some of which are more like you last bit above. S. [1] http://tools.ietf.org/html/draft-farrell-httpbis-hoba [2] http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HttpAuthProposals > > > On 19/07/2012 15:32, Poul-Henning Kamp wrote: >> In message >> <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com> >> , Phillip Hallam-Baker writes: >> >>> My biggest Web security concern is not the risk of passwords being >>> intercepted on the wire, its the fact that users have no practical >>> alternative to using the same password for the 100+ sites they use >>> that demand one. >> I have a hard time seeing how that can be solved at the HTTP protocol >> level ? >> > > > >
Received on Thursday, 19 July 2012 14:47:49 UTC