>>>>> "PM" == Norbert Bollow <nb@pobox.com> writes:
PM> Many services with www interface require an e-mail exchange once (at
PM> sign-up time) to reliably associate a cookie with an e-mail
PM> address. Then the cookie can be used for authentication later.
I suppose that's the password-per-user concept. Perhaps it's not so useless
after all. Anyway, it's not a big deal to implement, so once we have
someone willing to work on a web interface who can tell me the kind of
semantics this thing should have, I can implement it.
PM> Some browsers even support "cookie files" or whatever they may be
PM> called and handle this authentication procedure completely in the
PM> background (i.e. without bothering the user at all).
This I don't get. If you don't do some part of the process via email
(since that's the only way to prevent address faking) how can you be
secure? You have to bother the user, although you could require them to
enter their key only once and stuff it in a cookie so they don't have to do
it again. (I think; keep in mind that I don't do web things much.)
So if we were to do this, we would have a foolproof way to handle
authentication for the interfaces which before we had no hope of doing (web
and shell). Email is fundamentally different.
- J<
Follow-Ups:
References:
|
|
