Sauth

welcome to the crazy world of ideas that probably won't go anywhere, but sound sexy to me

Sauth is a name for the Stupid/Sane Auth system I've thought about a couple times (sometimes in crazier incarnations, see Auth for an example), which uses Public Keys for authenticating to a Server.

Rationale

Currently the state of some password/hash-based auth systems on the Internet are relatively Insecure, allowing people to exploit it rather easily, some examples of this are:

also, while not strictly related to password based auth (I believe standard http auth doesn't make the server do them) one day I was looking at the TiT source and I realized that there's really no reason to actually care about sessions on the server-side, the code for sessions on the server-side is typically overly complex, and if you can change the clients to send some non-constant data that the server can verify on each request the server doesn't need sessions, it becomes stateless in that regard. (technically the original TBSource is somewhat stateless, but it doesn't check it uniquely every time, someone can still ease drop and use your passhash themselves)

Sauth (last edited 2008-02-05 05:46:32 by localhost)