summaryrefslogtreecommitdiff
path: root/17/acc3172b0084b900aa82c3424643d0a1886655
blob: 41f55af213c7f5c5681d6d50a8f5ed04d1a03f41 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <melvincarvalho@gmail.com>) id 1Vcb3s-0000bX-Op
	for bitcoin-development@lists.sourceforge.net;
	Sat, 02 Nov 2013 13:16:20 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.217.174 as permitted sender)
	client-ip=209.85.217.174; envelope-from=melvincarvalho@gmail.com;
	helo=mail-lb0-f174.google.com; 
Received: from mail-lb0-f174.google.com ([209.85.217.174])
	by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1Vcb3r-0004YR-Bl
	for bitcoin-development@lists.sourceforge.net;
	Sat, 02 Nov 2013 13:16:20 +0000
Received: by mail-lb0-f174.google.com with SMTP id q8so4249841lbi.33
	for <bitcoin-development@lists.sourceforge.net>;
	Sat, 02 Nov 2013 06:16:12 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.112.130.138 with SMTP id oe10mr4520889lbb.1.1383398172540;
	Sat, 02 Nov 2013 06:16:12 -0700 (PDT)
Received: by 10.112.159.233 with HTTP; Sat, 2 Nov 2013 06:16:12 -0700 (PDT)
In-Reply-To: <CANEZrP2UwEX+u0XCxmaMaRWqVMr+3E63UYnVz9oMubbsiJU+6A@mail.gmail.com>
References: <20131102050144.5850@gmx.com>
	<CANEZrP2UwEX+u0XCxmaMaRWqVMr+3E63UYnVz9oMubbsiJU+6A@mail.gmail.com>
Date: Sat, 2 Nov 2013 14:16:12 +0100
Message-ID: <CAKaEYhKt=wq_SwnrndpfQjnM9KWEoZ60dEO_wYmux5YsRK0=dQ@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: Mike Hearn <mike@plan99.net>
Content-Type: multipart/alternative; boundary=047d7b3a88daa846a204ea317cf1
X-Spam-Score: -0.6 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
	See
	http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
	for more information. [URIs: doubleclick.net]
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	(melvincarvalho[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.0 HTML_MESSAGE           BODY: HTML included in message
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1Vcb3r-0004YR-Bl
Cc: bitcoingrant@gmx.com,
	Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Message Signing based authentication
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 13:16:21 -0000

--047d7b3a88daa846a204ea317cf1
Content-Type: text/plain; charset=ISO-8859-1

On 2 November 2013 14:02, Mike Hearn <mike@plan99.net> wrote:

> On Sat, Nov 2, 2013 at 6:01 AM, <bitcoingrant@gmx.com> wrote:
>
>> In brief, the authentication work as follows:
>>
>>
>>
>> Server provides a token for the client to sign.
>>
>> client passes the signed message and the bitcoin address back to the
>> server.
>>
>> server validates the message and honors the alias (optional) and bitcoin
>> address as identification.
>>
>
> http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/
>

I actually use client certificates for almost all of my authentication.

It's true that the browser manufacturers have created an UX which is not
ideal, and very little effort is made to improve it.  But it is possible.
See this project from Mozilla labs.

http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

Unfortunately this got killed :(

More popular is the trusted third party model like OAuth or Persona.
There's a conflict of interest as well, because browser manufacturers are
often identity providers too, so there is an incentive to push TTP
technology.

There's two elements here.  One is paswordless login (which I love).  The
other is who controls your identity.  I like to control my own identity (in
my browser) using PKI.  But facebook and the big webmail providers have a
lions share of the market.

The way to shift the balance is to offer the right incentives.


>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>

--047d7b3a88daa846a204ea317cf1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On 2 November 2013 14:02, Mike Hearn <span dir=3D"ltr">&lt;<a href=
=3D"mailto:mike@plan99.net" target=3D"_blank">mike@plan99.net</a>&gt;</span=
> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div cla=
ss=3D"im">On Sat, Nov 2, 2013 at 6:01 AM,  <span dir=3D"ltr">&lt;<a href=3D=
"mailto:bitcoingrant@gmx.com" target=3D"_blank">bitcoingrant@gmx.com</a>&gt=
;</span> wrote:<br>
</div><div class=3D"gmail_extra"><div class=3D"gmail_quote"><div class=3D"i=
m"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">
<span style=3D"font-family:Verdana"><span style=3D"font-size:12px"><p dir=
=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span =
style=3D"background-color:transparent;white-space:pre-wrap;line-height:1.15=
">In brief, the authentication work as follows:</span><br>

</p><p style=3D"margin:0px;padding:0px">=A0</p><p dir=3D"ltr" style=3D"line=
-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style=3D"vertical-alig=
n:baseline;font-variant:normal;font-style:normal;font-size:12px;white-space=
:pre-wrap;background-color:transparent;text-decoration:none;font-family:Ver=
dana;font-weight:normal">Server provides a token for the client to sign.</s=
pan></p>

<p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt">=
<span style=3D"vertical-align:baseline;font-variant:normal;font-style:norma=
l;font-size:12px;white-space:pre-wrap;background-color:transparent;text-dec=
oration:none;font-family:Verdana;font-weight:normal">client passes the sign=
ed message and the bitcoin address back to the server.</span></p>

<p dir=3D"ltr" style=3D"line-height:1.15;margin-top:0pt;margin-bottom:0pt">=
<span style=3D"vertical-align:baseline;font-variant:normal;font-style:norma=
l;font-size:12px;white-space:pre-wrap;background-color:transparent;text-dec=
oration:none;font-family:Verdana;font-weight:normal">server validates the m=
essage and honors the alias (optional) and bitcoin address as identificatio=
n.</span></p>

</span></span></blockquote><div><br></div></div><div><a href=3D"http://pili=
f.github.io/2008/05/why-is-nobody-using-ssl-client-certificates/" target=3D=
"_blank">http://pilif.github.io/2008/05/why-is-nobody-using-ssl-client-cert=
ificates/</a></div>
</div></div></div></blockquote><div><br></div><div>I actually use client ce=
rtificates for almost all of my authentication.<br><br>It&#39;s true that t=
he browser manufacturers have created an UX which is not ideal, and very li=
ttle effort is made to improve it.=A0 But it is possible.=A0 See this proje=
ct from Mozilla labs.<br>
<br><a href=3D"http://www.azarask.in/blog/post/identity-in-the-browser-fire=
fox/" target=3D"_blank">http://www.azarask.in/blog/post/<span class=3D"">id=
entity</span>-in-the-browser-<span>firefox</span>/</a><br><br></div><div>Un=
fortunately this got killed :(<br>
</div><div><br>More popular is the trusted third party model like OAuth or =
Persona.=A0 There&#39;s a conflict of interest as well, because browser man=
ufacturers are often identity providers too, so there is an incentive to pu=
sh TTP technology.<br>
<br></div><div>There&#39;s two elements here.=A0 One is paswordless login (=
which I love).=A0 The other is who controls your identity.=A0 I like to con=
trol my own identity (in my browser) using PKI.=A0 But facebook and the big=
 webmail providers have a lions share of the market.=A0 <br>
<br>The way to shift the balance is to offer the right incentives.<br></div=
><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=
=3D"ltr">
<div class=3D"gmail_extra">
</div></div>
<br>-----------------------------------------------------------------------=
-------<br>
Android is increasing in popularity, but the open development platform that=
<br>
developers love is also attractive to malware creators. Download this white=
<br>
paper to learn more about secure code signing practices that can help keep<=
br>
Android apps secure.<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D65839951&amp;iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D65839951&amp;iu=3D/4140/ostg.clktrk</a><br>___________________=
____________________________<br>

Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
<br></blockquote></div><br></div></div>

--047d7b3a88daa846a204ea317cf1--