From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Vcb3s-0000bX-Op for bitcoin-development@lists.sourceforge.net; Sat, 02 Nov 2013 13:16:20 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.217.174 as permitted sender) client-ip=209.85.217.174; envelope-from=melvincarvalho@gmail.com; helo=mail-lb0-f174.google.com; Received: from mail-lb0-f174.google.com ([209.85.217.174]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Vcb3r-0004YR-Bl for bitcoin-development@lists.sourceforge.net; Sat, 02 Nov 2013 13:16:20 +0000 Received: by mail-lb0-f174.google.com with SMTP id q8so4249841lbi.33 for ; Sat, 02 Nov 2013 06:16:12 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.112.130.138 with SMTP id oe10mr4520889lbb.1.1383398172540; Sat, 02 Nov 2013 06:16:12 -0700 (PDT) Received: by 10.112.159.233 with HTTP; Sat, 2 Nov 2013 06:16:12 -0700 (PDT) In-Reply-To: References: <20131102050144.5850@gmx.com> Date: Sat, 2 Nov 2013 14:16:12 +0100 Message-ID: From: Melvin Carvalho To: Mike Hearn Content-Type: multipart/alternative; boundary=047d7b3a88daa846a204ea317cf1 X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: doubleclick.net] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (melvincarvalho[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1Vcb3r-0004YR-Bl Cc: bitcoingrant@gmx.com, Bitcoin Dev Subject: Re: [Bitcoin-development] Message Signing based authentication X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Nov 2013 13:16:21 -0000 --047d7b3a88daa846a204ea317cf1 Content-Type: text/plain; charset=ISO-8859-1 On 2 November 2013 14:02, Mike Hearn wrote: > On Sat, Nov 2, 2013 at 6:01 AM, wrote: > >> In brief, the authentication work as follows: >> >> >> >> Server provides a token for the client to sign. >> >> client passes the signed message and the bitcoin address back to the >> server. >> >> server validates the message and honors the alias (optional) and bitcoin >> address as identification. >> > > http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/ > I actually use client certificates for almost all of my authentication. It's true that the browser manufacturers have created an UX which is not ideal, and very little effort is made to improve it. But it is possible. See this project from Mozilla labs. http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ Unfortunately this got killed :( More popular is the trusted third party model like OAuth or Persona. There's a conflict of interest as well, because browser manufacturers are often identity providers too, so there is an incentive to push TTP technology. There's two elements here. One is paswordless login (which I love). The other is who controls your identity. I like to control my own identity (in my browser) using PKI. But facebook and the big webmail providers have a lions share of the market. The way to shift the balance is to offer the right incentives. > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > --047d7b3a88daa846a204ea317cf1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable



On 2 November 2013 14:02, Mike Hearn <mike@plan99.net> wrote:
On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com>= ; wrote:

In brief, the authentication work as follows:

=A0

Server provides a token for the client to sign.

= client passes the sign= ed message and the bitcoin address back to the server.

= server validates the m= essage and honors the alias (optional) and bitcoin address as identificatio= n.



I actually use client ce= rtificates for almost all of my authentication.

It's true that t= he browser manufacturers have created an UX which is not ideal, and very li= ttle effort is made to improve it.=A0 But it is possible.=A0 See this proje= ct from Mozilla labs.

http://www.azarask.in/blog/post/id= entity-in-the-browser-firefox/

Un= fortunately this got killed :(

More popular is the trusted third party model like OAuth or = Persona.=A0 There's a conflict of interest as well, because browser man= ufacturers are often identity providers too, so there is an incentive to pu= sh TTP technology.

There's two elements here.=A0 One is paswordless login (= which I love).=A0 The other is who controls your identity.=A0 I like to con= trol my own identity (in my browser) using PKI.=A0 But facebook and the big= webmail providers have a lions share of the market.=A0

The way to shift the balance is to offer the right incentives.
=A0

-----------------------------------------------------------------------= -------
Android is increasing in popularity, but the open development platform that=
developers love is also attractive to malware creators. Download this white=
paper to learn more about secure code signing practices that can help keep<= br> Android apps secure.
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D65839951&iu=3D/4140/ostg.clktrk
___________________= ____________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


--047d7b3a88daa846a204ea317cf1--