Re: Discussion of Mandatory TLS in HTTP/2.0

On 07/19/2012 03:41 PM, Ross Nicoll wrote:
> I'm guessing the idea would be to write an HTTP authentication protocol
> that uses public-key pairs, so a user can confirm they have a secret
> piece of information (the private key) 

Fine idea:-) [1]

> without having to actually share
> it to do so, or by using a smaller number of authentication providers
> (for example Twitter, Facebook, Google) so they handle the password, and
> the site only gets confirmation from a trusted source that you are who
> you say you are.

But [1] is just one of the proposed new auth schemes [2] some
of which are more like you last bit above.

S.

[1] http://tools.ietf.org/html/draft-farrell-httpbis-hoba
[2] http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HttpAuthProposals

> 
> 
> On 19/07/2012 15:32, Poul-Henning Kamp wrote:
>> In message
>> <CAMm+LwjSOYkJQPayq1btXR5iXLNqBOdgQvsQMAAwhuZSNqQCXw@mail.gmail.com>
>> , Phillip Hallam-Baker writes:
>>
>>> My biggest Web security concern is not the risk of passwords being
>>> intercepted on the wire, its the fact that users have no practical
>>> alternative to using the same password for the 100+ sites they use
>>> that demand one.
>> I have a hard time seeing how that can be solved at the HTTP protocol
>> level ?
>>
> 
> 
> 
> 

Received on Thursday, 19 July 2012 14:47:49 UTC