Re: Salsa update: no more "-guest" and more

To: debian-devel@lists.debian.org
Subject: Re: Salsa update: no more "-guest" and more
From: Thomas Goirand <zigo@debian.org>
Date: Mon, 27 Apr 2020 22:43:43 +0200
Message-id: <[🔎] c27cfaf8-3d6b-52b2-af82-e1bba316b5a5@debian.org>
In-reply-to: <[🔎] 87a72wde8o.fsf@hope.eyrie.org>
References: <20200418213339.GB32260@waldi.eu.org> <[🔎] 8555e1c9-2ae9-fc7e-8278-4e4e1bf1b0f1@bzed.de> <[🔎] 20200425164941.4nrgwu636mk564y5@shell.thinkmo.de> <[🔎] B4960B93-DB48-469A-A2A2-6E2D7383D219@bzed.de> <[🔎] 1aa1982f-e333-df39-121c-b7d0ceecaf3c@debian.org> <[🔎] 45946438-59a6-f2f3-98b0-3610c4982441@bzed.de> <[🔎] b8e504e4-5281-5833-750f-f613b26136b4@debian.org> <[🔎] de5ebb9f-a729-f0ae-653a-2053ef7fd8cd@bzed.de> <[🔎] d8e1363e-59e3-5925-c403-a6f0cc7dac49@debian.org> <[🔎] 871ro93hmm.fsf@hope.eyrie.org> <[🔎] 56e1e730-ab22-9b1e-8a70-f208b9d05e99@debian.org> <[🔎] 87a72wde8o.fsf@hope.eyrie.org>

On 4/27/20 7:34 PM, Russ Allbery wrote:
> Thomas Goirand <zigo@debian.org> writes:
> 
>> Except that SQRL has no password involved, just crypto.
> 
>> Since you are too lazy to read on, let me do a tl;dr. Simply put, the
>> client holds a private key. From that private key, a new one is derived
>> doing a HMAC of that key with the domain, meaning a client has a unique
>> public/private keypair for each site. Then the site only holds the
>> public key, and the client auth using his private key (again, unique to
>> each site), presented a one time challenge.
> 
> Thanks for the explanation!
> 
> Why would we do this and not just use TLS (or X.509 more generally), which
> has essentially the same properties and for which implementations are far
> more widely available?  What you describe is basically equivalent to how
> Webauthn works except that Webauthn uses X.509 certs, for which there are
> numerous well-tested and audited implementations.

We just had chat on #debian-devel. It looks like Webauthn is similar,
yes. I'd be nice too.

Thomas Goirand (zigo)

Reply to:

References:
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: IOhannes m zmölnig (Debian/GNU) <umlaeute@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Bernd Zeimetz <bernd@bzed.de>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Russ Allbery <rra@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Thomas Goirand <zigo@debian.org>
- Re: Salsa update: no more "-guest" and more
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Third-party forks of packaged projects
Next by Date: Re: Salsa update: no more "-guest" and more
Previous by thread: Re: Salsa update: no more "-guest" and more
Next by thread: Re: Salsa update: no more "-guest" and more
Index(es):
- Date
- Thread