[13456] in cryptography@c2.net mail archive
Re: Maybe It's Snake Oil All the Way Down
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Jun 4 15:07:00 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "James A. Donald" <jamesd@echeque.com>
Cc: pgut001@cs.auckland.ac.nz (Peter Gutmann),
bill.stewart@pobox.com, cryptography@metzdowd.com,
cypherpunks@lne.com, rsalz@datapower.com, sguthery@mobile-mind.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 04 Jun 2003 09:06:08 -0700
In-Reply-To: <3EDD06EF.2850.17076FA5@localhost>
"James A. Donald" <jamesd@echeque.com> writes:
> --
> On 3 Jun 2003 at 15:04, James A. Donald wrote:
> > I never figured out how to use a certificate to authenticate
> > a client to a web server, how to make a web form available to
> > one client and not another. Where do I start?
> >
> > What I and everyone else does is use a shared secret, a
> > password stored on the server, whereby the otherwise
> > anonymous client gets authenticated, then gets an ephemeral
> > cookie identifying him.. I cannot seem to find any how-tos
> > or examples for anything better, whether for IIS or apache.
> >
> > As a result we each have a large number of shared secret
> > passwords, whereby we each log into a large number of
> > webservers. Was this what the people who created this
> > protocol intended?
>
> Or to say the same thing in different words -- why can't HTTPS
> be more like SSH? Why are we seeing a snow storm of scam
> mails trying to get us to login to e-g0ld.com?
Because HTTPS is designed to let you talk to people you've
never talked before, which is an inherently harder problem
than allowing you to talk to people you have.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
