Maybe It's Snake Oil All the Way Down

Eric Rescorla ekr at rtfm.com
Wed Jun 4 12:06:08 EDT 2003


"James A. Donald" <jamesd at echeque.com> writes:

>     --
> On 3 Jun 2003 at 15:04, James A. Donald wrote:
> > I never figured out how to use a certificate to authenticate 
> > a client to a web server, how to make a web form available to 
> > one client and not another.  Where do I start?
> >
> > What I and everyone else does is use a shared secret, a 
> > password stored on the server, whereby the otherwise 
> > anonymous client gets authenticated, then gets an ephemeral 
> > cookie identifying him..   I cannot seem to find any how-tos 
> > or examples for anything better, whether for IIS or apache.
> >
> > As a result we each have a large number of shared secret 
> > passwords, whereby we each log into a large number of 
> > webservers.  Was this what the people who created this 
> > protocol intended?
> 
> Or to say the same thing in different words -- why can't HTTPS 
> be more like SSH?    Why are we seeing a snow storm of scam
> mails trying to get us to login to e-g0ld.com? 
Because HTTPS is designed to let you talk to people you've
never talked before, which is an inherently harder problem
than allowing you to talk to people you have.

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list