Re: sketch of a simple authentication protocol

2008-04-07 Thread Story Henry
On 4 Apr 2008, at 18:07, Stian Soiland-Reyes wrote: So the connection to romeo.net should be certified https as well, otherwise this is just as insecure as OpenID. yes, that's a good point. At least it is not much worse than openid, which is not bad. A man in the middle attack is not so ea

Re: sketch of a simple authentication protocol

2008-04-04 Thread Bruno Harbulot
Story Henry wrote: On 3 Apr 2008, at 16:15, Adam Rosien wrote: It may be more appropriate to use the Authorization HTTP header to pass along Romeo's credentials. Rob's email using SSL certs only seems a lot cleaner and doesn't need the client to push anything into the request. I need to re

Re: sketch of a simple authentication protocol

2008-04-04 Thread Bruno Harbulot
Hello, Story Henry wrote: The 5 steps explained: 1. Romeo's User Agent GETs Juliette's public foaf file at , that file contains the relation: <> rdfs:seeAlso . 2. Romeo's UserAgent does a GET on the HTTPS URL with the extra

Re: sketch of a simple authentication protocol

2008-04-04 Thread Stian Soiland-Reyes
On Thu, Apr 3, 2008 at 9:26 AM, Story Henry <[EMAIL PROTECTED]> wrote: > 2. Romeo's UserAgent does a GET on the HTTPS URL > with the extra identification header: > > Agent-Id: http://romeo.name/#romeo > > All the https handshake stuff goes on as usual. From this Juliette's > server extracts the

Re: sketch of a simple authentication protocol

2008-04-03 Thread Story Henry
On 3 Apr 2008, at 16:07, Rob Heittman wrote: Very cool idea ... ! It does indeed seems so. That is the beauty of doing research out in the open. Had I not done so, I may never have heard of Toby's idea. If you mean the keys used in normal SSL traffic, I don't know that any information ab

Re: sketch of a simple authentication protocol

2008-04-03 Thread Story Henry
On 3 Apr 2008, at 16:15, Adam Rosien wrote: It may be more appropriate to use the Authorization HTTP header to pass along Romeo's credentials. Rob's email using SSL certs only seems a lot cleaner and doesn't need the client to push anything into the request. I need to read up more on HTTPS to

Re: sketch of a simple authentication protocol

2008-04-03 Thread Adam Rosien
It may be more appropriate to use the Authorization HTTP header to pass along Romeo's credentials. Rob's email using SSL certs only seems a lot cleaner and doesn't need the client to push anything into the request. .. Adam On Thu, Apr 3, 2008 at 1:26 AM, Story Henry <[EMAIL PROTECTED]> wrote: >

Re: sketch of a simple authentication protocol

2008-04-03 Thread Rob Heittman
Very cool idea ... ! If you mean the keys used in normal SSL traffic, I don't know that any information about the client's SSL keys are usefully and consistently exposed by popular implementations. Obviously all the key exchange information exists on the server somewhere, but I don't know how to