[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

Thomas Goirand <zigo@debian.org> writes:

> Except that SQRL has no password involved, just crypto.

> Since you are too lazy to read on, let me do a tl;dr. Simply put, the
> client holds a private key. From that private key, a new one is derived
> doing a HMAC of that key with the domain, meaning a client has a unique
> public/private keypair for each site. Then the site only holds the
> public key, and the client auth using his private key (again, unique to
> each site), presented a one time challenge.

Thanks for the explanation!

Why would we do this and not just use TLS (or X.509 more generally), which
has essentially the same properties and for which implementations are far
more widely available?  What you describe is basically equivalent to how
Webauthn works except that Webauthn uses X.509 certs, for which there are
numerous well-tested and audited implementations.

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: