Post 9w1BbWoAzG3q2JQTKK by wolf480pl@mstdn.io
(DIR) More posts by wolf480pl@mstdn.io
(DIR) Post #9w16ezJuwAPzYw6S6i by sir@cmpwn.com
2020-06-12T19:43:03Z
1 likes, 1 repeats
Remind me why didn't we use client-side certificates for web APIs? Why do we tolerate OAuth again?
(DIR) Post #9w16y0TwqFz0fSrbvc by lanodan@queer.hacktivis.me
2020-06-12T19:47:07.910278Z
0 likes, 0 repeats
@sir Well cacert.org is the only one I know which does allow client-certificate authentication through the web.Meanwhile IRC/SSH/VPNs/… does fine with client-certificates.
(DIR) Post #9w16ync8Acdx324KzA by IceWolf@meow.social
2020-06-12T19:46:23Z
0 likes, 0 repeats
@sir ...I forgot client-side certificates are a /thing/, that would also eliminate passwords /entirely/...
(DIR) Post #9w175K80CGBfcs5Uki by sir@cmpwn.com
2020-06-12T19:46:47Z
0 likes, 0 repeats
@IceWolf using them as a replacement for passwords is more risky
(DIR) Post #9w17BXM9vXGuOGfjlo by riking@orb.an6.us
2020-06-12T19:46:57.612088Z
0 likes, 0 repeats
@sir because the browsers refuse to improve the ux of client certs
(DIR) Post #9w17BXkcSapzc87Gtc by sir@cmpwn.com
2020-06-12T19:47:14Z
1 likes, 0 repeats
@riking who cares about browsers tbh
(DIR) Post #9w17Ez6HETirIyt4j2 by lanodan@queer.hacktivis.me
2020-06-12T19:50:12.289809Z
0 likes, 0 repeats
@sir @IceWolf More risky but compared to stuff like TOTP, not so sure.Specially as client-certificates could still be stored into a secret storage (aka password manager).
(DIR) Post #9w17JyBy2KsPw6vTzk by IceWolf@meow.social
2020-06-12T19:48:11Z
0 likes, 0 repeats
@sir Huh, why's that? Because if someone hacks into your computer they get the certificate?
(DIR) Post #9w17QF0kPu2TpxfW0u by cj@mastodon.technology
2020-06-12T19:50:38Z
0 likes, 0 repeats
@sir I think because SPKI/SDSI lost traction in favor of centralized certificate authorities for TLS which allowed them to get a lot of money from being a monopoly and make it compelling to not do further research on that line of thought.
(DIR) Post #9w17QFEZaV68Wq8YYy by lanodan@queer.hacktivis.me
2020-06-12T19:52:13.833848Z
0 likes, 0 repeats
@cj @sir What do CAs have to do with client-certificates?
(DIR) Post #9w17QssICl2jTK1KO8 by sir@cmpwn.com
2020-06-12T19:48:37Z
0 likes, 0 repeats
@IceWolf because if you lose your computer, you lose your certificate. Or if you move to another machine. Or if you use multiple machines
(DIR) Post #9w17f1UWxs8MFaeEbo by IceWolf@meow.social
2020-06-12T19:51:07Z
0 likes, 0 repeats
@lanodan @sir Yeah. And honestly, I can't remember most of my passwords anyway. They're nearly all long and random and I have a different one for every website, and I never see them because my browser handles that.
(DIR) Post #9w17f1pngn9DJYbDlI by sir@cmpwn.com
2020-06-12T19:51:51Z
0 likes, 0 repeats
@IceWolf @lanodan but most users are not like you
(DIR) Post #9w17fJw8NyuRSPhX8K by lanodan@queer.hacktivis.me
2020-06-12T19:54:57.829905Z
0 likes, 0 repeats
@sir @IceWolf Most users will just use their available software, just need at least one common browser doing this in a good way to potentially raise adoption.
(DIR) Post #9w17lfhCOn4QgBkAYS by sir@cmpwn.com
2020-06-12T19:53:24Z
0 likes, 0 repeats
@lanodan @cj a client certificate can still be signed by a CA, and this would be useful in some situations (especially as a replacement for OAuth)
(DIR) Post #9w17mQyWcBr9JXDAaO by cj@mastodon.technology
2020-06-12T19:53:39Z
0 likes, 0 repeats
@lanodan @sir If a group is making a lot of money managing server's side of HTTPS certificates, what incentive do they have to innovate?
(DIR) Post #9w17mRChlTCO1VqUgi by cj@mastodon.technology
2020-06-12T19:55:14Z
0 likes, 0 repeats
@lanodan @sir Let me put it another way: what browser would want to make their users pay a CA to issue a client-side certificate?
(DIR) Post #9w17mRSeo9xWozJEYK by lanodan@queer.hacktivis.me
2020-06-12T19:56:14.580950Z
0 likes, 0 repeats
@cj @sir the browser itself generates the client certificate, no CA is involved there.All a CA does is sign a certificate, which here is quite useless (service itself could be a CA though).
(DIR) Post #9w17sOltilbSDW9JGy by IceWolf@meow.social
2020-06-12T19:55:25Z
0 likes, 0 repeats
@lanodan @sir I think Firefox has client certificate support, based on when I went poking around in the settings; never tried it, though.
(DIR) Post #9w17sOz0w05wsCHmiW by sir@cmpwn.com
2020-06-12T19:55:41Z
0 likes, 0 repeats
@IceWolf @lanodan it does, but it's not great
(DIR) Post #9w17tDy3NKd6zzEEng by lanodan@queer.hacktivis.me
2020-06-12T19:57:28.641822Z
0 likes, 0 repeats
@sir @IceWolf Yeah, it's basically the bare-minimum done.A bit like how their RSS/Atom thing looked some versions ago.
(DIR) Post #9w17zRJeevfY8TIQQC by IceWolf@meow.social
2020-06-12T19:57:54Z
0 likes, 0 repeats
@lanodan @sir *blinks* Firefox /does/ RSS?
(DIR) Post #9w17zWrs190dM2LJwm by lanodan@queer.hacktivis.me
2020-06-12T19:58:35.412152Z
0 likes, 0 repeats
@IceWolf @sir It did display a page slightly better than an XML dump.And you could put RSS/Atom feeds into the bookmarks.
(DIR) Post #9w183DABDl83OqfA8m by Feuerfuchs@fedi.vulpes.one
2020-06-12T19:59:16.541503Z
0 likes, 0 repeats
@IceWolf @lanodan @sir Did. They removed it a while ago
(DIR) Post #9w187J01SpvUetrdZY by sir@cmpwn.com
2020-06-12T19:59:09Z
0 likes, 0 repeats
@lanodan imagine the following:1. API client creates a certificate authority and submits the root certificate to service provider as part of their client registration2. API client generates CSR and directs user to an authorization page with the service provider with the CSR attached. The certificate attached to the CSR includes things like desired access scopes, and is signed by the API client's CA or intermediates.3. User authorizes the access request. Service provider signs the certificate and sends it (and the user) back to the API client.4. API client uses this as their client-side certificate when submitting API requests.
(DIR) Post #9w189H0bpssz434pQO by lain@lain.com
2020-06-12T20:00:21.951605Z
0 likes, 0 repeats
@riking @sir this
(DIR) Post #9w18OTGoWxZHR5u4Su by dredmorbius@mastodon.cloud
2020-06-12T20:02:06Z
0 likes, 0 repeats
@sir Cert phishing?If auth is entirely client side, what are the social-engineering or malware routes to unintended / unaware cert granting by user?Not sure this is even a consideration voiced, though it comes to mind.
(DIR) Post #9w18VyZKYrfsXB8vNw by dredmorbius@mastodon.cloud
2020-06-12T20:02:43Z
0 likes, 0 repeats
@sir Have you looked at any of the standards docs / discussion?
(DIR) Post #9w18bdenDxbNPlOk88 by lanodan@queer.hacktivis.me
2020-06-12T20:05:30.182477Z
0 likes, 0 repeats
@sir Why not just: Client generates a certificate and sends it to the service as a token, restrictions can be done with association to this token.Client certificate can then be used for further authentication.Similar to SSH/SASL/…
(DIR) Post #9w18ce6x1Mxt7336cy by dredmorbius@mastodon.cloud
2020-06-12T20:03:36Z
0 likes, 0 repeats
@sir How are you implementing client-side certs w/o browsers?@riking
(DIR) Post #9w18hFOWLPMRu4Sf56 by wolf480pl@mstdn.io
2020-06-12T20:06:25Z
0 likes, 0 repeats
@sir @lanodan why three-legged tho...
(DIR) Post #9w18oXkoTxlOs6Mqa8 by wolf480pl@mstdn.io
2020-06-12T20:07:46Z
0 likes, 0 repeats
@sir because you may want to terminate your TLS a couple hops away from the application code (eg. with an nginx or haproxy), and getting the client cert info across would be difficult
(DIR) Post #9w18rfnh1RL2hDCt0K by sir@cmpwn.com
2020-06-12T20:06:14Z
0 likes, 0 repeats
@lanodan idgi, at what point is the user involved? How do you revoke it?
(DIR) Post #9w18rg3e486BUgfcrw by lanodan@queer.hacktivis.me
2020-06-12T20:08:23.315195Z
0 likes, 0 repeats
@sir Revocation can just work like any other token, which is basically the only revocation that works as crypto-backed revocation often fails.
(DIR) Post #9w18vHZb2b9wiMKn8C by cj@mastodon.technology
2020-06-12T19:58:42Z
0 likes, 0 repeats
@lanodan @sir The CA is supposedly the way that when your browser and my browser generate certs, and I say "I'm Haelwenn" and you say "I'm Haelwenn", the CA can say "it's not this person (pointing at me)".Traditionally, to get a CA to simply sign something, they'll charge you (it's their business to). So no browser wants to say "download my free browser then pay the CA".So sure CAs can be avoided like the original GPG/PGP idea, or the SPKI/SDSI idea.
(DIR) Post #9w18vHylX1IByQ6tMW by cj@mastodon.technology
2020-06-12T20:05:24Z
0 likes, 0 repeats
@lanodan @sir So with the money all going to CAs (starting in the late 90's) and something as progressive as Let's Encrypt (which is a sociological/economic change, not a tech one) only launching in 2016, I'm not surprised the tech research in this this competing area is relatively stunted. I'm sympathetic to some of the ideas, but honestly I haven't looked too deeply into SPKI/SDSI and have never been to a PGP/GPG key signing party, so I am still a part of the problem lol.
(DIR) Post #9w18vIK2FwJ32O3sW0 by lanodan@queer.hacktivis.me
2020-06-12T20:09:01.592775Z
0 likes, 0 repeats
@cj @sir > PGP/GPGForget this, it's one of the most broken thing ever, almost everything in OpenPGP can be used as an example of what to *not* do.
(DIR) Post #9w18vWu031OQFyznW4 by sir@cmpwn.com
2020-06-12T20:06:42Z
0 likes, 0 repeats
@wolf480pl @lanodan wut
(DIR) Post #9w18wApna3ne6XL0WO by sir@cmpwn.com
2020-06-12T20:08:29Z
0 likes, 0 repeats
@wolf480pl seems cargo culty
(DIR) Post #9w194JHY3ZSscYCHkO by sir@cmpwn.com
2020-06-12T20:08:50Z
0 likes, 0 repeats
@lanodan okay but the other question was more important
(DIR) Post #9w194PBO7O6OvBMRyi by lanodan@queer.hacktivis.me
2020-06-12T20:10:37.868196Z
0 likes, 0 repeats
@sir Question that I'm not so sure about.Like involved for what?
(DIR) Post #9w19947TrDhB2kkuVk by cj@mastodon.technology
2020-06-12T20:09:53Z
0 likes, 0 repeats
@lanodan But what if the party has free beer? :P
(DIR) Post #9w1994KF5lu5gKj6P2 by lanodan@queer.hacktivis.me
2020-06-12T20:11:32.168876Z
0 likes, 0 repeats
@cj Then maybe that could be the only good thing involved in it depending on the beer.
(DIR) Post #9w19RULT5dRNaq5CrY by wolf480pl@mstdn.io
2020-06-12T20:14:49Z
0 likes, 0 repeats
@sir @lanodan what is the purpose of the CA in point one?From what I understood, it's held by the API client's developers instead of the user?
(DIR) Post #9w19YkWLLfWPmsdFI0 by sir@cmpwn.com
2020-06-12T20:11:02Z
1 likes, 0 repeats
@lanodan how does the user consent to the access?
(DIR) Post #9w19hojZ3M1nSd8jvE by sir@cmpwn.com
2020-06-12T20:15:37Z
0 likes, 0 repeats
@wolf480pl @lanodan you understood correctly. It would have to be in the signature chain for any cert used to authenticate requests. The advantage of this step is that all of the client's certificates can be revoked in one fell swoop.
(DIR) Post #9w19sPNHg9aFzmliuO by fluffy@social.handholding.io
2020-06-12T20:19:44.775570Z
0 likes, 0 repeats
@sir @lanodan as a party with less privilege, users cannot consent.
(DIR) Post #9w19tp23lmtVrRW12m by alcinnz@floss.social
2020-06-12T20:18:43Z
0 likes, 0 repeats
@sir Agreed!You might be interested to know: Gemini can request clientside certificates to be used.
(DIR) Post #9w19w2mZcMVJ5NKb44 by wolf480pl@mstdn.io
2020-06-12T20:20:19Z
1 likes, 0 repeats
@sir @lanodan Ok, but why would you want to revoke a client? After all, it's acting on behalf of the user, and if the user didn't want it to act on user's behalf anymore, user would revoke the individual certificate they authorized in point 3.
(DIR) Post #9w1A4ud1Itf8P15jX6 by sir@cmpwn.com
2020-06-12T20:21:12Z
0 likes, 0 repeats
@wolf480pl @lanodan maybe the client has been doing something malicious, or they lost the private key
(DIR) Post #9w1A6qz9oqfjgQN6hM by cj@mastodon.technology
2020-06-12T20:21:06Z
0 likes, 0 repeats
@sir The downside is that this is kind of a hack to sidestep the fact that a CA (or replacement technology) is meant to mediate between two people claiming to be "Drew". Merely getting validation w/ a full cert chain isn't sufficient.If both "Drew"s submitted their own CAs to the server, neither CA can claim to be any more authentic than the other, despite both passing validation.@wolf480pl @lanodan
(DIR) Post #9w1A6scXjtlskro4jA by wolf480pl@mstdn.io
2020-06-12T20:22:19Z
0 likes, 0 repeats
@cj @sir @lanodan is "Drew" in this example a user or an API client?
(DIR) Post #9w1AH0bstEOIQgKPtA by cj@mastodon.technology
2020-06-12T20:24:07Z
0 likes, 0 repeats
@wolf480pl Both. If I understand Drew's 4-point list, the user generates a CA client-side and shares the root to the server for validation purposes. However, as this scales to X million users, everyone is their own CA, which returns us back to some very old discussions that definitely pre-date me.@sir @lanodan
(DIR) Post #9w1AOcRacebtnR8rNA by kobajagi@fosstodon.org
2020-06-12T20:21:46Z
0 likes, 0 repeats
@sir On a side note, I always wondered why FIDO password-less effort requiring bunch of JS, versus just moving client cert to a hardware device the same way and do the auth magic on the protocol level.
(DIR) Post #9w1AYAyhawqxVZBfAu by sir@cmpwn.com
2020-06-12T20:22:05Z
0 likes, 0 repeats
@sigrid they already have TLS support for, like, talking to the web at all
(DIR) Post #9w1AZLWtqkzOWTjzTU by wolf480pl@mstdn.io
2020-06-12T20:27:26Z
1 likes, 0 repeats
@cj @sir @lanodan > user generates a CA client-sideNo.Think of API client as a service ran by someone on the internet. The admin of that service generates a CA and sends it to the API server for approval.Then a user comes to the client, says it wants to use it, gets CSR, passes it to server, authorizes it to act on user's behalf, passes the signed cert back to the client
(DIR) Post #9w1AeSSbVcuPSxAXI0 by sir@cmpwn.com
2020-06-12T20:24:49Z
0 likes, 0 repeats
@cj @wolf480pl @lanodan false, X users will only be represented by Y user agents, where Y is substantially <X. This is being considered as an alternative to OAuth, remember.
(DIR) Post #9w1AfhZKoz2qc7uUyG by wolf480pl@mstdn.io
2020-06-12T20:28:33Z
0 likes, 0 repeats
@cj @sir @lanodan Obviously this doesn't make sense for clients that are programs the user runs on their own machine.
(DIR) Post #9w1Az126g8IQTzZsVE by cj@mastodon.technology
2020-06-12T20:32:04Z
0 likes, 0 repeats
@wolf480pl Ah right, thanks both for setting me straight. Sorry I still had a simple browser use case stuck in my head.I see how the CA critique can instead be viewed as a strength. I'm not sure it makes me feel like it's any less of a hack though as it's really just an old fashioned "web-of-trust" key-signing-other-keys.@sir @lanodan
(DIR) Post #9w1B4hi7Qp3QIDwOrA by wolf480pl@mstdn.io
2020-06-12T20:33:00Z
0 likes, 0 repeats
@cj @sir @lanodan how's a CA anything different than key-signing-other-keys?
(DIR) Post #9w1BVkqxr5ZdrHydyC by cj@mastodon.technology
2020-06-12T20:37:57Z
0 likes, 0 repeats
@wolf480pl Not sure I understand. It isn't.Taking a step back, we are deep in a rabbit hole talking about taking OAuth (which you may view as a hack) and shoving the entire CA system into its place (which the tiny cyberpunk in me loves the hackiness square-peg rectangle-hole of it), when there's an opportunity to also take a step back entirely, rewind history, and pick up entirely different replacement approaches. Which may also be glorified "keys-signing-other-keys" but who knows.@sir @lanodan
(DIR) Post #9w1BbWoAzG3q2JQTKK by wolf480pl@mstdn.io
2020-06-12T20:39:02Z
0 likes, 0 repeats
@cj @sir @lanodan I think you're confusing "CAs" with "a global list of CAs trusted by web browsers"
(DIR) Post #9w1BorbKzUBEHymOdE by sir@cmpwn.com
2020-06-12T20:41:24Z
0 likes, 0 repeats
@wolf480pl @cj @lanodan you, too, can be a CA, with about 4 OpenSSL commands
(DIR) Post #9w1C0t1JXacoAHfA3M by cj@mastodon.technology
2020-06-12T20:42:39Z
0 likes, 0 repeats
@sir @wolf480pl @lanodan I think the critique was that I am too focused on how browsers treat CAs as opposed to how CAs operate in general.To that I say: I'm not confusing anything. I'm trying to keep to the entire point of this conversation, no? If I understood Drew's implied critique of OAuth, it is because OAuth was invented to circumvent browser limitations. Such as who gets a root CA in browsers.
(DIR) Post #9w1C0tMEHpM5D9Rrea by wolf480pl@mstdn.io
2020-06-12T20:43:36Z
0 likes, 0 repeats
@cj @sir @lanodan Ok, so what do you think is the difference between a CA and keys-signing-other-keys ?
(DIR) Post #9w1C2j7zI7hS3zf6HY by wolf480pl@mstdn.io
2020-06-12T20:43:59Z
0 likes, 0 repeats
@cj @sir @lanodan Ok, so what do you think is the difference between a CA and a key that signs other keys?
(DIR) Post #9w1C7hoVbYilR3vPJw by cj@mastodon.technology
2020-06-12T20:44:03Z
0 likes, 0 repeats
@sir @wolf480pl @lanodan But who gets a root CA in a browser doesn't apply much to this particular use case. Being able to generate cert authorities does. And no one managing a browser is going to suggest creating a CA for the user due to the convention and socioeconomic definition of CA.
(DIR) Post #9w1C7iPjNAUlIVL8L2 by wolf480pl@mstdn.io
2020-06-12T20:44:47Z
0 likes, 0 repeats
@cj @sir @lanodan But the client is running on a server. The browser is only passing authorizations back and forth.
(DIR) Post #9w1CBEWKSTIxk66TtA by cj@mastodon.technology
2020-06-12T20:45:29Z
0 likes, 0 repeats
@wolf480pl @sir @lanodan To quote Drew:"1. API client creates a certificate authority"Browsers are API clients too.
(DIR) Post #9w1CEHSI0FNFiIfQKe by sir@cmpwn.com
2020-06-12T20:45:48Z
2 likes, 0 repeats
@cj @wolf480pl @lanodan also to quote me: "who gives a fuck about browsers tbh"
(DIR) Post #9w1CIRHZPM6BLldVRY by wolf480pl@mstdn.io
2020-06-12T20:46:47Z
0 likes, 0 repeats
@cj @sir @lanodan >Browsers are API clients too.No.Also, JS is disabled.
(DIR) Post #9w1CPmbUXBO3VJSLAG by lanodan@queer.hacktivis.me
2020-06-12T20:48:10.432151Z
0 likes, 0 repeats
@sir Allow the certificate or not as a source, same as with passwords, OpenID, OAuth, …
(DIR) Post #9w1CQOOi19k0iflfW4 by cj@mastodon.technology
2020-06-12T20:15:24Z
1 likes, 0 repeats
@lanodan Haha! Damn, those are some tough words! Note to self... pick the right kind of beer if Haelwenn decides to show up at the party... (I have poor taste)
(DIR) Post #9w1CWvPmAoEqrGNjuK by cj@mastodon.technology
2020-06-12T20:48:36Z
0 likes, 0 repeats
@sir @wolf480pl @lanodan Well yes, you of course. But the question was "why OAuth" and the people managing browsers think differently than "who give a fuck about the browser I run". The people who created the specs of that time I imagine cared enough to not try to redefine what everyone else's understanding of a CA was.
(DIR) Post #9w1CkIvg3fKlYGgQE4 by lanodan@queer.hacktivis.me
2020-06-12T20:51:53.415841Z
0 likes, 0 repeats
@wolf480pl @cj @sir IIRC you can generate a client-certificate in a browser without any JS involved.
(DIR) Post #9w1Cnl9DbDJvwEfG2i by wolf480pl@mstdn.io
2020-06-12T20:52:28Z
0 likes, 0 repeats
@lanodan @sir @cj yes, but you can't operate a CA in browser without any JS
(DIR) Post #9w1CpTMKhunJLbcECW by cj@mastodon.technology
2020-06-12T20:52:46Z
0 likes, 0 repeats
@wolf480pl I'm honestly not sure how to respond to this, and I think I'm reading it in a way that isn't charitable, so if you want an answer I need to understand this sudden fixation on JS?@sir @lanodan
(DIR) Post #9w1Cxf2NAkflsoBScK by wolf480pl@mstdn.io
2020-06-12T20:54:14Z
0 likes, 0 repeats
@cj @sir @lanodan A browser without JS isn't able to act as an API client.Unless the user enjoys reading raw JSON, that is.The only way a browser would become an API client is through AJAX, which is not in scope for sourcehut
(DIR) Post #9w1DCualceggT8XlvU by cj@mastodon.technology
2020-06-12T20:56:59Z
0 likes, 0 repeats
@wolf480pl Ah I was completely missing the sourcehut link there. Thanks for bringing me up to speed.Yep that's a pickle.@sir @lanodan
(DIR) Post #9w1DCyCoBftpfzMh8a by lanodan@queer.hacktivis.me
2020-06-12T20:57:04.242393Z
1 likes, 0 repeats
@wolf480pl @sir @cj Which is fine to me, I don't want more states into the trashfire almost formerly known as a user-agent.To me the service should be the CA.
(DIR) Post #9w1DM8O7hMRhrZ1kdE by wolf480pl@mstdn.io
2020-06-12T20:58:39Z
0 likes, 0 repeats
@lanodan @sir @cj Are we still talking about 3-legged usecases?
(DIR) Post #9w1DPnTdO4jYAOLrEm by lanodan@queer.hacktivis.me
2020-06-12T20:59:22.868842Z
0 likes, 0 repeats
@wolf480pl @sir @cj Not really, since I don't really like this case, it's too involved.
(DIR) Post #9w1I0QbbmjePlOnuBU by wolf480pl@mstdn.io
2020-06-12T21:50:46Z
0 likes, 0 repeats
@sir you mean terminating TLS at a reverse proxy separate from the application backend is cargo-culty, or the idea that it'd be difficult to pass client cert info to backend is cargo-culty?
(DIR) Post #9w1I4xHSF5UkGGXHHc by wolf480pl@mstdn.io
2020-06-12T21:51:34Z
0 likes, 0 repeats
@sir or the idea that you'd want to pass that authentication information to the backend?
(DIR) Post #9w1I9f3NRBjfBAC9se by sir@cmpwn.com
2020-06-12T21:52:24Z
0 likes, 0 repeats
@wolf480pl I don't recall exactly why I said that tbh. But it's not especially hard to pass the cert along, nginx can do it in one extra line of config.
(DIR) Post #9w1LHJIkUjmptZixgu by portpupper@social.sakamoto.gq
2020-06-12T22:27:29.802400Z
0 likes, 0 repeats
@lanodan @sir @IceWolf When will #SQRL ever take off in the wild?
(DIR) Post #9w1PtMuttv8BveyLtQ by IceWolf@meow.social
2020-06-12T22:36:03Z
0 likes, 0 repeats
@portpupper @sir @lanodan What's SQRL?
(DIR) Post #9w1PtN9R1sl0ejlxY0 by portpupper@social.sakamoto.gq
2020-06-12T23:19:10.621026Z
0 likes, 0 repeats
@IceWolf An alternate way to log in that doesn't involve the usual e-mail/password registration.https://sqrl.grc.com/pages/what_is_sqrl/It was developed by the host of Security Now@sir @lanodan