GPG for authentication
|
| Author | Content |
|---|---|
| Sander_Marechal May 10, 2007 1:50 PM EDT |
Related to this: I've always wondered it it would be possible to use GPG as a method of authentication. GPG is widely used. Public-Private ket cryptology usually makes my head spin when I think about it too hard, but it would be something I'd like to try out. So, for the cryptology-minded among you: Would it be possible to create a website login system in which the website only has access to the public key and where the user has the private key, and prove to the website that he is who he says he is? How would that work? Alice and Bob examples preferred! http://en.wikipedia.org/wiki/Alice_and_Bob |
| azerthoth May 10, 2007 6:07 PM EDT |
Off the top of my head would be a browser cookie that you have emailed to you and you have to manually insert into your cookie cache. You access the website, website checks the cookie, if you have it your in, if not you get sent to Penguin Petes underwear drawer. |
| Sander_Marechal May 10, 2007 10:35 PM EDT |
Well, if I were to make something like this I'd create a FireFox (yes, and IE7) plugin for it. But I understand your point. Website sends randomized session cookie. Client encrypts cookie with private key. Website decrypts cookie with public key and makes sure it matches what was send. If you built it into the browser you could have single sign-on throughout the internet. Log into your browser and the browser can log you into all the websites. One potential problem I see is multiple accounts on the same website. How would the browser or website know which account to sign in with? |
| dcparris May 10, 2007 11:37 PM EDT |
Same way as with password managers? |
| Sander_Marechal May 11, 2007 4:57 AM EDT |
Soft-of. Except that you don't need to create new accounts anywhere (you already have your one GPG key that's valid everywhere. I.e. no need to sign up to anything. Just log :-). It would also give websites a nice opportunity to reliably link users from one system to another. E.g. I can associate forum posts with bugzilla comments and wiki edits. You could even extrapolate it further. Websites could associate the public GPG key ID with posts (in microformat code - http://www.microformats.org). That way even search engines could do the social linking. I.e. it would be possible for technorati to reliably search all your blog posts and blog comments, no matter what blogs they were made at. But that just bonus. The reason I'd like to do it now is so that I don't have to have a hundred different username/password combinations for all my websites. Even with a password manager its hard to keep track of so many accounts. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!