On 14/09/2010 21:16, Marsh Ray wrote:
> On 09/14/2010 09:13 AM, Ben Laurie wrote:
>> Demo here: https://webid.digitalbazaar.com/manage/
>
> "This Connection is Untrusted"
So? It's a demo.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can
On 15/09/2010 00:26, Nicolas Williams wrote:
> On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
>> How do you deliver Javascript to the browser securely in the first
>> place? HTTP?
>
> I'll note that Ben's proposal is in the same category as mine (which
> was, to remind you, implement S
On Tue, Sep 14, 2010 at 03:16:18PM -0500, Marsh Ray wrote:
> On 09/14/2010 09:13 AM, Ben Laurie wrote:
> >Of some interest to me is the approach I saw recently (confusingly named
> >WebID) of a pure Javascript implementation (yes, TLS in JS, apparently),
> >allowing UI to be completely controlled b
On 09/14/2010 09:13 AM, Ben Laurie wrote:
On 14/09/2010 12:29, Ian G wrote:
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser
On Tue, Sep 14, 2010 at 13:29, Ian G wrote:
> On 14/09/10 2:26 PM, Marsh Ray wrote:
>>
>> On 09/13/2010 07:24 PM, Ian G wrote:
>
>>> 1. In your initial account creation / login, trigger a creation of a
>>> client certificate in the browser.
>>
>> There may be a way to get a browser to generate a c
On 14/09/2010 12:29, Ian G wrote:
> On 14/09/10 2:26 PM, Marsh Ray wrote:
>> On 09/13/2010 07:24 PM, Ian G wrote:
>
>>> 1. In your initial account creation / login, trigger a creation of a
>>> client certificate in the browser.
>>
>> There may be a way to get a browser to generate a cert or CSR, b
On 14/09/10 2:26 PM, Marsh Ray wrote:
On 09/13/2010 07:24 PM, Ian G wrote:
1. In your initial account creation / login, trigger a creation of a
client certificate in the browser.
There may be a way to get a browser to generate a cert or CSR, but I
don't know it. But you can simply generate i
On 09/13/2010 07:24 PM, Ian G wrote:
On 11/09/10 6:45 PM, f...@mail.dnttm.ro wrote:
Essentially, the highest risk we have to tackle is the database.
Somebody having access to the database, and by this to the
authentication hashes against which login requests are verified,
should not be able to
On 11/09/10 6:45 PM, f...@mail.dnttm.ro wrote:
Essentially, the highest risk we have to tackle is the database. Somebody
having access to the database, and by this to the authentication hashes against
which login requests are verified, should not be able to authenticate as
another user. Whi
Hi.
So many answers, so little time to answer :-/
First, thanks to all who gave me an answer. I'll try to answer all posts I got
on the subject in one large mail.
I may be a bit cheeky, for a new subscriber, so I apologize in advance. I think
at least some of the answers I got are derailed in
On 9 September 2010 10:08, James A. Donald wrote:
> On 2010-09-09 6:35 AM, Ben Laurie wrote:
>>
>> What I do in Nigori for this is use DSA. Your private key, x, is the
>> hash of the login info. The server has g^x, from which it cannot
>> recover x,
>
> Except, of course, by dictionary attack, hen
On 2010-09-09 6:35 AM, Ben Laurie wrote:
What I do in Nigori for this is use DSA. Your private key, x, is the
hash of the login info. The server has g^x, from which it cannot
recover x,
Except, of course, by dictionary attack, hence g^x, being low
entropy, is treated as a shared secret.
and th
f...@mail.dnttm.ro writes:
> The idea is the following: we don't want to secure the connection,
Why not?
Using HTTPS is easier than making up some half-baked scheme that won't work
anyway.
--
http://noncombatant.org/
-
The C
On 8 September 2010 16:45, wrote:
>
> Hi.
>
> Just subscribed to this list for posting a specific question. I hope the
> question I'll ask is in place here.
>
> We do a web app with an Ajax-based client. Anybody can download the client
> and open the app, only, the first thing the app does is as
On 09/08/2010 10:45 AM, f...@mail.dnttm.ro wrote:
Hi.
Just subscribed to this list for posting a specific question. I hope
the question I'll ask is in place here.
Oh good, this makes me not the new guy now :-)
These seem like nice standard, authentication system design questions.
I'll give t
On Wed, Sep 08, 2010 at 05:45:26PM +0200, f...@mail.dnttm.ro wrote:
> We do a web app with an Ajax-based client. Anybody can download the
> client and open the app, only, the first thing the app does is ask for
> login.
>
> The login doesn't happen using form submission, nor does it happen via
> a
16 matches
Mail list logo
