Re: Discussion of Mandatory TLS in HTTP/2.0

On 07/19/2012 03:41 PM, Ross Nicoll wrote:
> I'm guessing the idea would be to write an HTTP authentication protocol
> that uses public-key pairs, so a user can confirm they have a secret
> piece of information (the private key) 

Fine idea:-) [1]

> without having to actually share
> it to do so, or by using a smaller number of authentication providers
> (for example Twitter, Facebook, Google) so they handle the password, and
> the site only gets confirmation from a trusted source that you are who
> you say you are.

But [1] is just one of the proposed new auth schemes [2] some
of which are more like you last bit above.



> On 19/07/2012 15:32, Poul-Henning Kamp wrote:
>> In message
>> <>
>> , Phillip Hallam-Baker writes:
>>> My biggest Web security concern is not the risk of passwords being
>>> intercepted on the wire, its the fact that users have no practical
>>> alternative to using the same password for the 100+ sites they use
>>> that demand one.
>> I have a hard time seeing how that can be solved at the HTTP protocol
>> level ?

Received on Thursday, 19 July 2012 14:47:49 UTC