<-- back to the mailing list

Username/password authentication strategy

Solderpunk solderpunk at posteo.net

Tue Jul 21 18:33:24 BST 2020

- - - - - - - - - - - - - - - - - - - 

On Mon Jul 20, 2020 at 11:27 PM CEST, Peter Vernigorov wrote:

But I think the bigger problem is that now I need to store usernames,
pins,
all of user’s cert fingerprints and their first seen and last seen
dates, I
would need to build an interface to delete old/lost fingerprints, etc.

Combining username/password authentication with multiple simultaneous,long-lived certificates seems like a maximum-complexity approach to meand I'm not sure there's much to be gained from it.

If you want something light and simple using usernames and passwords, itmakes sense to me to inform the user to generate a short-livedcertificate, to then use a sequence of 10 and 11 status codes to requesta username and password, and, if they are valid, to mark thatcertificate fingerprint as authorised for that account and at the sametime immediately deauthorise (and forget about) any and all previouscertificates used for that account. A user "logs out" manually bydeleting the certificate, or else their session naturally expires whenthe certificate's validity period lapses.

I grant you this is less straightforward than HTTP basic auth.Multi-user applications with user-friendly interfaces aren't reallystraightforward in Gemini.

Cheers,Solderpunk