Username/password authentication strategy

[Solderpunk]

On Mon Jul 20, 2020 at 11:27 PM CEST, Peter Vernigorov wrote:

> But I think the bigger problem is that now I need to store usernames,
> pins,
> all of user’s cert fingerprints and their first seen and last seen
> dates, I
> would need to build an interface to delete old/lost fingerprints, etc.

Combining username/password authentication with multiple simultaneous,
long-lived certificates seems like a maximum-complexity approach to me
and I'm not sure there's much to be gained from it.

If you want something light and simple using usernames and passwords, it
makes sense to me to inform the user to generate a short-lived
certificate, to then use a sequence of 10 and 11 status codes to request
a username and password, and, if they are valid, to mark that
certificate fingerprint as authorised for that account and at the same
time immediately deauthorise (and forget about) any and all previous
certificates used for that account.  A user "logs out" manually by
deleting the certificate, or else their session naturally expires when
the certificate's validity period lapses.

I grant you this is less straightforward than HTTP basic auth.
Multi-user applications with user-friendly interfaces aren't really
straightforward in Gemini.

Cheers,
Solderpunk