🍧🦊Sep 29, 2017

Well. My Little Server: Crypto Is Magic. It seems to *work*.

Is it really this easy? You just include a user ID and signature with every HTTP request, and the server can look up the public key for the user ID and use that to verify the signature?

I mean, it's not EASY; I've already thought of a couple soundness holes, but those are details of getting the implementation right. Why the hell have we not been doing this for EVERYTHING since the 80's?

Show thread🍧🦊

@dasyatidprime @Azure You're the people who know way more about security than me, there must be reasons this hasn't been thought of before, right?

I mean, there's OpenSSL key verification stuff but I've used that *once* and it's an unspeakable shitshow to get it working and makes life super hard for everyone.

Is there an actual reason that "send a shared secret in a cookie" gets used to authenticate instead of "send asymmetric signature"?

Sep 29, 2017 at 7:30pmWeb
Show threadDrOpsSep 30, 2017
@icefox that sounds as if you are reinventing the concept of client certificates. They work, and the mechanism is built in the webbrowser of your choice