I get a free Authenticated SSL certificate with my fancy new WestHost Cloud Server.
I only get to use the account on one domain. After a great deal of thinking, I used the certificate for the empty domain iRivers.com.
The two pieces of information I want to keep secure are email addresses and passwords.
So, I created a registration form.
I am now working on a secure Login Form. The secure login form.
The secure login is interesting. First, the page checks to see that the user accessed it through a secure port. The user then selects a destination web site and enters their user name and password. If the user name and password match the account on the server the system will create a secure single use token.
The login program redirects the user to the destination site with the token. The destination site queries iRivers.com with the token. If the token is valid, the destination site responds back with a packet containing user and session information.
This design allows me to use the same user base for any web site I create in the future.
The next step is to integrate this design with Oauth and Open ID ... but I will leave those challenges for another day.