pgp logins

Jean-David Beyer
Thu Jul 24 17:03:01 2003

CL Gilbert wrote:
 > Is it possible to have a single signin system using pgp?  I have so
 > many websites I use and soo many usernames and passwords to remember.
 > Why can't I just give a website my public key, and they use that to
 > authenticate me!?  It seems similar wo that MSPassport is trying to
 > do.
 > Any ideas?
Chicken and egg problem. In addition to a GnuPG public-private key pair,
I also have a VeriSign digital certificate. Web sites can query me for 
that and it would be unnecessary for them to ask for a login and 
password. But I know of no web sites that do that.

I imagine the problem is that no web site wants two mechanisms for user 
authentication, and until a large majority of the public has such 
certificates, the method used by VeriSign (and others) will not be used.

Similarly for PGP or GnuPG: until the majority of computer users our 
there are using them, and their keys are in the web of trust of the web 
site operators, the web site operators will ignore these too.

After several years, I have actually met someone who has a GnuPG public 
key in person. (We exchanged fingerprints after examining each others' 
passports.) At this rate, all this encryption and digital signature 
stuff will be used mostly by hobbyests amusing themselves, and in 
certain very specialized situations.

   .~.  Jean-David Beyer           Registered Linux User 85642.
   /V\                             Registered Machine    73926.
  /( )\ Shrewsbury, New Jersey
  ^^-^^ 10:55am up 2 days, 15:50, 2 users, load average: 2.07, 2.08, 2.09