On Wed, 16 Mar 2005, Vladimir Zlatanov wrote:
An idea (proposed by somebody else) for secure remote auth would be to let the user authenticate at the "home server" and only send a "yes" or "no" to the remote server. The remote server would pass the session ID along and get it back if authentication was succesfull. I am not completely sure, if this process is safe from exploits, though.
It is not safe for a 'man in the middle' exploits. If somebody manages to pretend to be the 'home server', the they rule.
Yeah, I guess.
It is possible though, to devise a scheme which can avoid that, something along the lines:
prerequisite - some form of trust established between remote and home, preferably some form of signing the messages.
I was actually thinking to use gpg keys to do the encryption I spoke about. "Unfortunately" all the sites I would want to have in a trusted network will run on the same server and so I will simply share the user table. So I will not code this. Cheers, Gerhard