[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Ron Garret
ron at flownet.com
Wed Aug 5 00:10:42 EDT 2015
On Aug 4, 2015, at 7:24 PM, Carlo Contavalli <ccontavalli at gmail.com> wrote:
> On Tue, Aug 4, 2015 at 6:57 PM, Ben Laurie <ben at links.org> wrote:
>> On Tue, 4 Aug 2015 at 18:09 Carlo Contavalli <ccontavalli at gmail.com> wrote:
>>>
>>> On Mon, Aug 3, 2015 at 8:19 PM, Tony Arcieri <bascule at gmail.com> wrote:
>>>> On Sun, Aug 2, 2015 at 9:54 AM, Carlo Contavalli <ccontavalli at gmail.com>
>>>> wrote:
>>>>>
>>>>> Are there / why are not similar technologies used for web?
>>>>
>>>> Two words: user experience
>>>>
>>>
>>> It's 2015 - I'm sure we could figure something out?
>>>
>>> Without thinking much...
>>
>>
>> Right, because why bother to think about one of the longest standing
>> security problems we have on the 'net? Obviously you should be able to fix
>> that in your sleep.
>
> meh :-( I just associated "user experience" with the stigma associated
> with http authentication and various schemes based on it, which, among
> many other drawbacks, look horrible to the end user, and just lead to
> bad user experience.
FYI/FWIW I took a whack a re-inventing authentication a few years back and came up with this:
http://dswi.net
It’s essentially browser certs implemented in Javascript, which essentially delegates authentication to a trusted third party. It was designed to be more secure than usernames and passwords (which is a pretty low bar) but super-easy for both users and relying-parties to use.
If there’s any interest in this I’d be happy to provide more details.
rg
More information about the cryptography
mailing list