W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] fixing the authentication problem

From: timeless <timeless@gmail.com>
Date: Tue, 21 Oct 2008 21:12:58 +0100
Message-ID: <26b395e60810211312y7425771fh3471e24d1800ac81@mail.gmail.com>
This is bogus. Tls supports a way to return different certs based on the name.

On 10/21/08, Andy Lyttle <whatwg at phroggy.com> wrote:
> 4. The need for a dedicated IP address, instead of using name-based
> virtual hosts.
>
> That and #1 are the reasons I don't use it more.
>
> --
> Andy Lyttle
> whatwg at phroggy.com
>
>
>
> On Oct 21, 2008, at 7:48 AM, Aaron Swartz wrote:
>
>>>> Some major web services redirect the user to an SSL server for
>>>> the login transaction, but SSL is too expensive for the vast
>>>> majority
>>>> of services.
>>> The issue is not SSL being expensive: the only expensive part is
>>
>> There are three costs to SSL:
>>
>> 1. Purchasing a signed cert.
>> 2. Configuring the web server.
>> 3. The CPU time necessary to do the encryption.
>>
>> 1 could be fixed by less paranoid UAs, 2 could be fixed with better
>> software and SNI, and 3 could be fixed by better hardware. But,
>> realistically, I don't see any of these things happening.
>>
>>> What's the actual difference between this and https? Both mechanisms
>>> are using public-key encryption to protect the communications; the
>>
>> The difference is that this would work practically. Server authors
>> typically can't configure, but they typically can install an
>> encryption library. Support will get built into web applications and
>> web application frameworks (disclosure: I'm the author of a web
>> application framework) and the Web will be more secure.
>
>

-- 
Sent from Gmail for mobile | mobile.google.com
Received on Tuesday, 21 October 2008 13:12:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC