[13443] in cryptography@c2.net mail archive
Re: Maybe It's Snake Oil All the Way Down
daemon@ATHENA.MIT.EDU (James A. Donald)
Wed Jun 4 08:27:12 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "James A. Donald" <jamesd@echeque.com>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Tue, 3 Jun 2003 20:37:03 -0700
Cc: bill.stewart@pobox.com, cryptography@metzdowd.com,
cypherpunks@lne.com, ekr@rtfm.com, rsalz@datapower.com,
sguthery@mobile-mind.com
In-reply-to: <3EDCB916.14077.15D755CF@localhost>
--
On 3 Jun 2003 at 15:04, James A. Donald wrote:
> I never figured out how to use a certificate to authenticate
> a client to a web server, how to make a web form available to
> one client and not another. Where do I start?
>
> What I and everyone else does is use a shared secret, a
> password stored on the server, whereby the otherwise
> anonymous client gets authenticated, then gets an ephemeral
> cookie identifying him.. I cannot seem to find any how-tos
> or examples for anything better, whether for IIS or apache.
>
> As a result we each have a large number of shared secret
> passwords, whereby we each log into a large number of
> webservers. Was this what the people who created this
> protocol intended?
Or to say the same thing in different words -- why can't HTTPS
be more like SSH? Why are we seeing a snow storm of scam
mails trying to get us to login to e-g0ld.com?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
QtiFX0Q654gHh54NAMlLGE1FGDveixyzL0ZnAOVS
4hprBkT1zeYk/HdBOXiquwvz5vLUwF/21wW1Jf411
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
