Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
RFC 5054 is also useful for certain websites, and IMAP particularly.
HTTPS Everywhere brings HTTPS almost everywhere
Posted Jul 4, 2010 4:45 UTC (Sun) by foom (subscriber, #14868)
Why is it useful to add password authentication to TLS? Both IMAP and HTTP already have ways of doing user authentication within the protocol itself. And, of course, you can use those mechanisms after setting up a TLS session if you want encryption.
Now, SRP *itself* looks like a nice replacement for CRAM-MD5, but why is it being proposed as an addition to TLS rather than as an additional mechanism in SASL? It seems like it'd be much more at home there...
Posted Jul 4, 2010 6:05 UTC (Sun) by TRS-80 (subscriber, #1804)
As for why SRP/TLS instead of TLS+SASL, the latter still requires a CA or self-signed certificates. HTTP auth isn't used much in the real world, and TLS/SRP isn't useful everywhere, since it requires a shared secret before establishing TLS. But when you have that, it's better than TLS+HTTP auth becuase again you don't require a CA, which is what cortana was asking about.
Posted Jul 4, 2010 19:15 UTC (Sun) by foom (subscriber, #14868)
I find it really hard to imagine a website which could actually use TLS/SRP instead of a server certificate (if even any browsers supported it). You couldn't display content at all unless the user already has a valid login. No user registration, no "forgot password", etc. That just doesn't seem realistic.
The main issue with deployment of HTTP auth is that it has no way to "logout" or to timeout a session. SRP/TLS has the exact same problem. At least with HTTP auth, you can have some pages on your site require logging in, and others not require a login, and you can display content to the user without a login...
Posted Jul 5, 2010 4:41 UTC (Mon) by TRS-80 (subscriber, #1804)
HTTP auth can't be natively timed out (although there have been some nasty hacks that can work around it; I don't have examples to hand, but could find them if you want), but Firefox 3+ has UI for it, under "Clear Private Data..."
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds