[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Carlo Contavalli
ccontavalli at gmail.com
Tue Aug 4 10:29:13 EDT 2015
On Mon, Aug 3, 2015 at 8:19 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Sun, Aug 2, 2015 at 9:54 AM, Carlo Contavalli <ccontavalli at gmail.com>
> wrote:
>>
>> Are there / why are not similar technologies used for web?
>
> Two words: user experience
>
It's 2015 - I'm sure we could figure something out?
Without thinking much... some support for "styled authentication"
would not be that hard to add to a browser? we introduce an:
<authentication>
</authentication>
with a type="" attribute specifying how / what protocol to use to
authenticate, determines some fixed fields (eg, username, password,
otp, hw token, ...) that the browser is able to recognize and display
in a special way (example: url bar expands to show the inputs under
the ssl lock)? Can have a link to recover password, no javascript, but
some CSS for styling? It does not have to be an ugly window like the
404 authorization required.
If authentication is successful, based on the type used, can include a
cookie, start using some special encryption, or include a
WWW-authenticate field.
Sharing the cookie / encryption / ... across multiple requests /
responses should not be hard, similar to SSL session reuse?
Carlo
More information about the cryptography
mailing list