On 15/09/2010 00:26, Nicolas Williams wrote:
On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
How do you deliver Javascript to the browser securely in the first
place? HTTP?
I'll note that Ben's proposal is in the same category as mine (which
was, to remind you, implement SCRAM in
On 14/09/2010 21:16, Marsh Ray wrote:
On 09/14/2010 09:13 AM, Ben Laurie wrote:
Demo here: https://webid.digitalbazaar.com/manage/
This Connection is Untrusted
So? It's a demo.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
There is no limit to what a man can do or
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser to generate a cert or CSR, but I
don't know it. But you can simply generate
On 09/13/2010 07:24 PM, Ian G wrote:
On 11/09/10 6:45 PM, f...@mail.dnttm.ro wrote:
Essentially, the highest risk we have to tackle is the database.
Somebody having access to the database, and by this to the
authentication hashes against which login requests are verified,
should not be able to
On 14/09/2010 12:29, Ian G wrote:
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser to generate a cert or CSR, but I
don't
On Tue, Sep 14, 2010 at 13:29, Ian G i...@systemics.com wrote:
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser to generate
On 09/14/2010 09:13 AM, Ben Laurie wrote:
On 14/09/2010 12:29, Ian G wrote:
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a
On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
On 09/14/2010 09:13 AM, Ben Laurie wrote:
Of some interest to me is the approach I saw recently (confusingly named
WebID) of a pure Javascript implementation (yes, TLS in JS, apparently),
allowing UI to be completely controlled by the
On 2010-09-09 6:35 AM, Ben Laurie wrote:
What I do in Nigori for this is use DSA. Your private key, x, is the
hash of the login info. The server has g^x, from which it cannot
recover x,
Except, of course, by dictionary attack, hence g^x, being low
entropy, is treated as a shared secret.
and
On 9 September 2010 10:08, James A. Donald jam...@echeque.com wrote:
On 2010-09-09 6:35 AM, Ben Laurie wrote:
What I do in Nigori for this is use DSA. Your private key, x, is the
hash of the login info. The server has g^x, from which it cannot
recover x,
Except, of course, by dictionary
Hi.
Just subscribed to this list for posting a specific question. I hope the
question I'll ask is in place here.
We do a web app with an Ajax-based client. Anybody can download the client and
open the app, only, the first thing the app does is ask for login.
The login doesn't happen using
On 8 September 2010 16:45, f...@mail.dnttm.ro wrote:
Hi.
Just subscribed to this list for posting a specific question. I hope the
question I'll ask is in place here.
We do a web app with an Ajax-based client. Anybody can download the client
and open the app, only, the first thing the app
f...@mail.dnttm.ro writes:
The idea is the following: we don't want to secure the connection,
Why not?
Using HTTPS is easier than making up some half-baked scheme that won't work
anyway.
--
http://noncombatant.org/
-
The
13 matches
Mail list logo