Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.217.174 as permitted sender)
	client-ip=209.85.217.174; envelope-from=melvincarvalho@gmail.com;
	helo=mail-lb0-f174.google.com; 
MIME-Version: 1.0
In-Reply-To: <CANEZrP2UwEX+u0XCxmaMaRWqVMr+3E63UYnVz9oMubbsiJU+6A@mail.gmail.com>
References: <20131102050144.5850@gmx.com>
	<CANEZrP2UwEX+u0XCxmaMaRWqVMr+3E63UYnVz9oMubbsiJU+6A@mail.gmail.com>
Date: Sat, 2 Nov 2013 14:16:12 +0100
Message-ID: <CAKaEYhKt=wq_SwnrndpfQjnM9KWEoZ60dEO_wYmux5YsRK0=dQ@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: Mike Hearn <mike@plan99.net>
Content-Type: multipart/alternative; boundary=047d7b3a88daa846a204ea317cf1
Cc: bitcoingrant@gmx.com,
	Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Message Signing based authentication
Precedence: list

--047d7b3a88daa846a204ea317cf1
Content-Type: text/plain; charset=ISO-8859-1

On 2 November 2013 14:02, Mike Hearn <mike@plan99.net> wrote:

> On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com> wrote:
>
>> In brief, the authentication work as follows:
>>
>>
>>
>> Server provides a token for the client to sign.
>>
>> client passes the signed message and the bitcoin address back to the
>> server.
>>
>> server validates the message and honors the alias (optional) and bitcoin
>> address as identification.
>>
>
> http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/
>

I actually use client certificates for almost all of my authentication.

It's true that the browser manufacturers have created an UX which is not
ideal, and very little effort is made to improve it.  But it is possible.
See this project from Mozilla labs.

http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

Unfortunately this got killed :(

More popular is the trusted third party model like OAuth or Persona.
There's a conflict of interest as well, because browser manufacturers are
often identity providers too, so there is an incentive to push TTP
technology.

There's two elements here.  One is paswordless login (which I love).  The
other is who controls your identity.  I like to control my own identity (in
my browser) using PKI.  But facebook and the big webmail providers have a
lions share of the market.

The way to shift the balance is to offer the right incentives.


>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

--047d7b3a88daa846a204ea317cf1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On 2 November 2013 14:02, Mike Hearn <span dir=3D"ltr">&lt;<a href=
=3D"mailto:mike@plan99.net" target=3D"_blank">mike@plan99.net</a>&gt;</span=
> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div cla=
ss=3D"im">On Sat, Nov 2, 2013 at 6:01 AM,  <span dir=3D"ltr">&lt;<a href=3D=
"mailto:bitcoingrant@gmx.com" target=3D"_blank">bitcoingrant@gmx.com</a>&gt=
;</span> wrote:<br>
</div><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div class=3D"i=
m"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">
<span style=3D"font-family:Verdana"><span style=3D"font-size:12px"><p dir=
=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span =
style=3D"background-color:transparent;white-space:pre-wrap;line-height:1.15=
">In brief, the authentication work as follows:</span><br>

</p><p style=3D"margin:0px;padding:0px">=A0</p><p dir=3D"ltr" style=3D"line=
-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style=3D"vertical-alig=
n:baseline;font-variant:normal;font-style:normal;font-size:12px;white-space=
:pre-wrap;background-color:transparent;text-decoration:none;font-family:Ver=
dana;font-weight:normal">Server provides a token for the client to sign.</s=
pan></p>

<p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt">=
<span style=3D"vertical-align:baseline;font-variant:normal;font-style:norma=
l;font-size:12px;white-space:pre-wrap;background-color:transparent;text-dec=
oration:none;font-family:Verdana;font-weight:normal">client passes the sign=
ed message and the bitcoin address back to the server.</span></p>

<p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt">=
<span style=3D"vertical-align:baseline;font-variant:normal;font-style:norma=
l;font-size:12px;white-space:pre-wrap;background-color:transparent;text-dec=
oration:none;font-family:Verdana;font-weight:normal">server validates the m=
essage and honors the alias (optional) and bitcoin address as identificatio=
n.</span></p>

</span></span></blockquote><div><br></div></div><div><a href=3D"http://pili=
f.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/" target=3D=
"_blank">http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-cert=
ificates/</a></div>
</div></div></div></blockquote><div><br></div><div>I actually use client ce=
rtificates for almost all of my authentication.<br><br>It&#39;s true that t=
he browser manufacturers have created an UX which is not ideal, and very li=
ttle effort is made to improve it.=A0 But it is possible.=A0 See this proje=
ct from Mozilla labs.<br>
<br><a href=3D"http://www.azarask.in/blog/post/identity-in-the-browser-fire=
fox/" target=3D"_blank">http://www.azarask.in/blog/post/<span class=3D"">id=
entity</span>-in-the-browser-<span>firefox</span>/</a><br><br></div><div>Un=
fortunately this got killed :(<br>
</div><div><br>More popular is the trusted third party model like OAuth or =
Persona.=A0 There&#39;s a conflict of interest as well, because browser man=
ufacturers are often identity providers too, so there is an incentive to pu=
sh TTP technology.<br>
<br></div><div>There&#39;s two elements here.=A0 One is paswordless login (=
which I love).=A0 The other is who controls your identity.=A0 I like to con=
trol my own identity (in my browser) using PKI.=A0 But facebook and the big=
 webmail providers have a lions share of the market.=A0 <br>
<br>The way to shift the balance is to offer the right incentives.<br></div=
><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"ltr">
<div class=3D"gmail_extra">
</div></div>
<br>-----------------------------------------------------------------------=
-------<br>
Android is increasing in popularity, but the open development platform that=
<br>
developers love is also attractive to malware creators. Download this white=
<br>
paper to learn more about secure code signing practices that can help keep<=
br>
Android apps secure.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D65839951&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D65839951&amp;iu=3D/4140/ostg.clktrk</a><br>___________________=
____________________________<br>

Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div></div>

--047d7b3a88daa846a204ea317cf1--