On 10/09/13 16:41, stef wrote: > i have something like this eccentric authentication implemented for some time: > https://github.com/stef/tlsauth > i also provided django and flask bindings for it > https://github.com/stef/django-tlsauth > https://github.com/stef/flask-tlsauth > > and i use this in my "filesharing" service: stash: > https://github.com/stef/stash/ > > dunno how exactly this matches your eccentric auth, but i'd wager it's quite > close. maybe some of you guys want to play with something practical. maybe you > find epic bugs, so i can fix them or abandon this idea, thx for all. > s >
Hi Stef, Please don't abandon the idea: Client Certificates are Cool(tm). Your implementation is a 'classic' client certificate authentication scheme where you provide certificates to those you already know. It's useful when you know your audience, ie, students at a uni, employees. Signing up, however, is real barrier in any 'classic' scheme as you need to authenticate people to make sure that they belong to your audience. And there is a lot of command line work involved at the client. While you make it easy on the server operator, you forgot the client. With Eccentric I turn that thing upside down. 1. I try to make it as easy on the client as possible. To the client, there is no cryptography involved. Only 'accounts'. Creating one is as easy as clicking a button. In fact, the hardest part is to come up with an account name. See [0], section: signing up. 2. In eccentric, the client certificate is anonymous. There is no user identifying information in it. When a visitor to a site wants to log in, they come up with a nickname and let the user agent (ecca-proxy [1]) do the work. It is therefore not suitable for a classic scheme at a uni, or office. It is meant to help strangers exchange keys and authenticate them to each other, while even us, the site operator who sign their certificates can not learn their identities. [1] That's the basis of my "alien dating site" and the upcoming "cryptoblog". For example: Would you and I have used an eccentric authenticated blog site to exchange these messages, we would have authenticated each other as the writer of the message. By validating the message, we authenticate each others public key. See: [2] There is more you can do with client certificates. With proper checking at the user agent (browser) you can prevent phishing and man in the middle attacks. Like I said, Client certificates are Cool(tm). Regards, Guido. 0: http://eccentric-authentication.org/blog/2013/06/12/walkthrough-datingsite.html 1: http://eccentric-authentication.org/ 2a: http://eccentric-authentication.org/blog/2013/09/28/talk-for-brucon.html 2b: http://eccentric-authentication.org/Brucon-Eccentric.pdf
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography