Thu Jul 24 17:03:01 2003
CL Gilbert wrote:
> Is it possible to have a single signin system using pgp? I have so
> many websites I use and soo many usernames and passwords to remember.
> Why can't I just give a website my public key, and they use that to
> authenticate me!? It seems similar wo that MSPassport is trying to
> Any ideas?
Chicken and egg problem. In addition to a GnuPG public-private key pair,
I also have a VeriSign digital certificate. Web sites can query me for
that and it would be unnecessary for them to ask for a login and
password. But I know of no web sites that do that.
I imagine the problem is that no web site wants two mechanisms for user
authentication, and until a large majority of the public has such
certificates, the method used by VeriSign (and others) will not be used.
Similarly for PGP or GnuPG: until the majority of computer users our
there are using them, and their keys are in the web of trust of the web
site operators, the web site operators will ignore these too.
After several years, I have actually met someone who has a GnuPG public
key in person. (We exchanged fingerprints after examining each others'
passports.) At this rate, all this encryption and digital signature
stuff will be used mostly by hobbyests amusing themselves, and in
certain very specialized situations.
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 10:55am up 2 days, 15:50, 2 users, load average: 2.07, 2.08, 2.09