[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

On 4/27/20 7:34 PM, Russ Allbery wrote:
> Thomas Goirand <zigo@debian.org> writes:
>> Except that SQRL has no password involved, just crypto.
>> Since you are too lazy to read on, let me do a tl;dr. Simply put, the
>> client holds a private key. From that private key, a new one is derived
>> doing a HMAC of that key with the domain, meaning a client has a unique
>> public/private keypair for each site. Then the site only holds the
>> public key, and the client auth using his private key (again, unique to
>> each site), presented a one time challenge.
> Thanks for the explanation!
> Why would we do this and not just use TLS (or X.509 more generally), which
> has essentially the same properties and for which implementations are far
> more widely available?  What you describe is basically equivalent to how
> Webauthn works except that Webauthn uses X.509 certs, for which there are
> numerous well-tested and audited implementations.

We just had chat on #debian-devel. It looks like Webauthn is similar,
yes. I'd be nice too.

Thomas Goirand (zigo)

Reply to: