Re: Salsa update: no more "-guest" and more
On 4/27/20 7:34 PM, Russ Allbery wrote:
> Thomas Goirand <zigo@debian.org> writes:
>
>> Except that SQRL has no password involved, just crypto.
>
>> Since you are too lazy to read on, let me do a tl;dr. Simply put, the
>> client holds a private key. From that private key, a new one is derived
>> doing a HMAC of that key with the domain, meaning a client has a unique
>> public/private keypair for each site. Then the site only holds the
>> public key, and the client auth using his private key (again, unique to
>> each site), presented a one time challenge.
>
> Thanks for the explanation!
>
> Why would we do this and not just use TLS (or X.509 more generally), which
> has essentially the same properties and for which implementations are far
> more widely available? What you describe is basically equivalent to how
> Webauthn works except that Webauthn uses X.509 certs, for which there are
> numerous well-tested and audited implementations.
We just had chat on #debian-devel. It looks like Webauthn is similar,
yes. I'd be nice too.
Thomas Goirand (zigo)
Reply to: