Re: Salsa update: no more "-guest" and more

To: debian-devel@lists.debian.org
Subject: Re: Salsa update: no more "-guest" and more
From: Russ Allbery <rra@debian.org>
Date: Mon, 27 Apr 2020 10:34:31 -0700
Message-id: <[🔎] 87a72wde8o.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 56e1e730-ab22-9b1e-8a70-f208b9d05e99@debian.org> (Thomas Goirand's message of "Mon, 27 Apr 2020 11:09:43 +0200")
References: <20200418213339.GB32260@waldi.eu.org> <[🔎] 8555e1c9-2ae9-fc7e-8278-4e4e1bf1b0f1@bzed.de> <[🔎] 20200425164941.4nrgwu636mk564y5@shell.thinkmo.de> <[🔎] B4960B93-DB48-469A-A2A2-6E2D7383D219@bzed.de> <[🔎] 1aa1982f-e333-df39-121c-b7d0ceecaf3c@debian.org> <[🔎] 45946438-59a6-f2f3-98b0-3610c4982441@bzed.de> <[🔎] b8e504e4-5281-5833-750f-f613b26136b4@debian.org> <[🔎] de5ebb9f-a729-f0ae-653a-2053ef7fd8cd@bzed.de> <[🔎] d8e1363e-59e3-5925-c403-a6f0cc7dac49@debian.org> <[🔎] 871ro93hmm.fsf@hope.eyrie.org> <[🔎] 56e1e730-ab22-9b1e-8a70-f208b9d05e99@debian.org>

Thomas Goirand <zigo@debian.org> writes:

> Except that SQRL has no password involved, just crypto.

> Since you are too lazy to read on, let me do a tl;dr. Simply put, the
> client holds a private key. From that private key, a new one is derived
> doing a HMAC of that key with the domain, meaning a client has a unique
> public/private keypair for each site. Then the site only holds the
> public key, and the client auth using his private key (again, unique to
> each site), presented a one time challenge.

Thanks for the explanation!

Why would we do this and not just use TLS (or X.509 more generally), which
has essentially the same properties and for which implementations are far
more widely available?  What you describe is basically equivalent to how
Webauthn works except that Webauthn uses X.509 certs, for which there are
numerous well-tested and audited implementations.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>

References:
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Russ Allbery <rra@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Bug#958984: ITP: python-drf-spectacular -- OpenAPI 3 schema generation for Django REST framework
Next by Date: Re: Third-party forks of packaged projects
Previous by thread: Re: Salsa update: no more "-guest" and more
Next by thread: Re: Salsa update: no more "-guest" and more
Index(es):
- Date
- Thread