tags: authentication

Action executed in 0.000

Each Tag


Common tags - number of posts

x509 (2), SSL (2), TrickleUp (2), Firefox (1), TLS (1), certificate (1), GSSAPI (1), Elwing (1), cookie (1), Mozilla (1), open source (1), IMAP (1), ssh (1), client (1), LDAP (1), movies (1), blog (1), Persona (1), Cyrus (1), anonymity (1), SASL (1), Kerberos (1), privacy (1), Trac (1),

2 way join

SSL, authentication, TrickleUp, authentication, authentication, x509


Open letter to Mozilla: Bring back Persona - Stavros' Stuff


For those of you who don’t know, Persona was a private, decentralized authentication protocol that Mozilla developed. It’s pretty much those “Log in with Facebook” buttons that you see on some sites, except that, instead of Facebook, you just log in with your email provider. So, if you enter a Gmail address, you’ll be redirected to Gmail and be asked to allow the site to see your address, and you’ll be logged in, without Gmail ever knowing...

url: http://www.stavros.io/posts/open-letter-mozilla-bring-back-persona/

type: article, format: blog


Bug 2642 – TLS client authentication: allow optional client certificate

I have reworked the way how in imap/tls.c:tls_init_serverengine the CA certificates are handled: * I added the new (optional) parameter "tls_server_ca_file" containing the CA certificates that build the certificate chain for the server certificate. (if it is not set, the certificates are collected from tls_ca_file and tls_ca_path)

url: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2642

type: none, format: none


Roumen Petrov - secure shell(ssh)

a project to add x509 authentication to OpenSSH

url: http://roumenpetrov.info/openssh/

type: project, format: unknown


x509 with friendly name support

Ticket to add x509 support to Trac.

url: http://trac.edgewall.org/ticket/6982

type: unknown, format: unknown

Client Certificate Verification

So someone around here is to lazy to pick up his/her cookie before leaving a comment on my site. They clear their cookies monthly. I don't want to have just a form where you put your name, email address, and website, because that could allow someone to impersonate another person. And i'd like to avoid forcing readers to have another passwords. So.

The solution presented itself while discussing the issue with Laura. Take advantage of SSL. Normally when you visit a commercial web site to make a purchase, you verify that you are really talking to that company, because they provide a certificate, and this cert is signed by a well known certificate (like Verisign) and your browser already trusts that cert.

But SSL is a two way authentication system. What i propose is the converse. When a reader wants to leave a comment on my site, they may provide their cert. If it's signed by a well known cert, great; if not then i'll need to verify it (it's fingerprint at least) somehow. This is a one time event.

When they come to the site with a cert that i eventually trust, i'll just let them post the comment. There's no need for a password. I may not even need to ask for their username.

I think it's about time my so called "security conscious" friends and i deploy such a system. Hehe, but does their canned blogging software have this ability?

What if my to-be commentators don't have certificates? Well then it's back to tokens over email, passwords, or posting anonymously.


After more complaints from a person -- whom i'll keep confidential -- i've added an "post as anonymous feature" to TrickleUp. S/he was right. It should have been there. I just didn't get to it yet.

S/he mentioned that s/he must clear her/his cache and cookies everyday. This is understandable. And i do know it's a pain to request your cookie everyday, so here's the solution. Request it once, you'll get an email with a URL. Bookmark that URL.

And on authentication, yeah i think it's important for a blog. Animosity exists in the world. I would hate to be the host of nasty impersonation. One could easily hurt the reputation of antoher. It's also possible to incite poor relationships.

Other blogging software such as Blogger, LiveJournal, and WordPress already have these features. (I'm not sure about UserLand and MovableType.) They all require a username and password combo. In TrickleUp, i have have that, but i also have a watered down version, called the User Cookie. Here you give me your email address, and i'll give you a cookie that lasts a year.


I configured LDAP to accept only Kerberos authentication via SASL and GSSAPI. And i'm able to add entries using ldapadd when the user has a valid ticket.

I added a new section showing movies i've gone too.