pgp logins

Neil Williams
Fri Jul 25 00:02:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Thursday 24 Jul 2003 4:04 pm, Jean-David Beyer wrote:

> Chicken and egg problem. In addition to a GnuPG public-private key pair,
> I also have a VeriSign digital certificate. Web sites can query me for
> that and it would be unnecessary for them to ask for a login and
> password. But I know of no web sites that do that.
> I imagine the problem is that no web site wants two mechanisms for user
> authentication, and until a large majority of the public has such
> certificates, the method used by VeriSign (and others) will not be used.

OK. I'll bite. I am currently considering an alternative authentication=20
protocol for a website where GnuPG/PGP is already in use. I was going to ju=
move from Basic HTTP authentication to MySQL (which is faster but retains=20
manual password entry protocols). I wouldn't mind having dual authenticatio=
for those users whose GnuPG keys have been signed by the webmaster (me) -=20
call it an incentive for more keysignings.

So how is it done? Does it involve Kerberos (not used yet) type transfer or=
SSH (used)? Does it involve transferring key data - would that need to be=20
done over a https:// connection (not currently available)? How would it wor=
with user firewalls? Does it work for only sub-directories within the site =
must it apply for the entire site? Is there a requirement for a separate=20
client on each user machine (like SSH) which has to be separately installed=

Does the capability exist yet? (Not being very successful with google so fa=
on this.)

> Similarly for PGP or GnuPG: until the majority of computer users our
> there are using them, and their keys are in the web of trust of the web
> site operators, the web site operators will ignore these too.

I've got a decent web of trust so far without any real effort so I'm hoping=
 it =20
could work for me.

> After several years, I have actually met someone who has a GnuPG public
> key in person. (We exchanged fingerprints after examining each others'
> passports.) At this rate, all this encryption and digital signature
> stuff will be used mostly by hobbyests amusing themselves, and in
> certain very specialized situations.

You need a LUG!


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)