[13430] in cryptography@c2.net mail archive
Re: Maybe It's Snake Oil All the Way Down
daemon@ATHENA.MIT.EDU (James A. Donald)
Tue Jun 3 18:17:35 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Tue, 3 Jun 2003 15:04:54 -0700
Cc: bill.stewart@pobox.com, cryptography@metzdowd.com,
cypherpunks@lne.com, ekr@rtfm.com, rsalz@datapower.com,
sguthery@mobile-mind.com
In-reply-to: <200306031304.h53D4dl25250@medusa01.cs.auckland.ac.nz>
--
> That's a red herring. It happens to use X.509 as its
> preferred bit-bagging format for public keys, but that's
> about it. People use self-signed certs, certs from unknown
> CAs [0], etc etc, and you don't need certs at all if you
> don't need them, <blatant self-promotion>I've just done an
> RFC draft that uses shared secret keys for mutual
> authentication of client and server, with no need for
> certificates of any kind</blatant self-promotion>, so the use
> of certs, and in particular a hierarchical PKI, is merely an
> optional extra. It's no more required in SSL than it is in
> SSHv2.
I never figured out how to use a certificate to authenticate a
client to a web server, how to make a web form available to one
client and not another. Where do I start?
What I and everyone else does is use a shared secret, a
password stored on the server, whereby the otherwise anonymous
client gets authenticated, then gets an ephemeral cookie
identifying him.. I cannot seem to find any how-tos or
examples for anything better, whether for IIS or apache.
As a result we each have a large number of shared secret
passwords, whereby we each log into a large number of
webservers. Was this what the people who created this protocol
intended?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
Y/QLPHyeZqXrSgYZI9nQsjsk7krbgSGfCZ0BLpOt
4gqWFWtV3GiEwWupSGyR895BQo0u2e4MmlgtpP/po
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
