pgp logins

Neil Williams linux@codehelp.co.uk
Fri Jul 25 00:02:02 2003


--Boundary-02=_WfFI/Wn0fVY6rL9
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Thursday 24 Jul 2003 4:04 pm, Jean-David Beyer wrote:

> Chicken and egg problem. In addition to a GnuPG public-private key pair,
> I also have a VeriSign digital certificate. Web sites can query me for
> that and it would be unnecessary for them to ask for a login and
> password. But I know of no web sites that do that.
>
> I imagine the problem is that no web site wants two mechanisms for user
> authentication, and until a large majority of the public has such
> certificates, the method used by VeriSign (and others) will not be used.

OK. I'll bite. I am currently considering an alternative authentication=20
protocol for a website where GnuPG/PGP is already in use. I was going to ju=
st=20
move from Basic HTTP authentication to MySQL (which is faster but retains=20
manual password entry protocols). I wouldn't mind having dual authenticatio=
n=20
for those users whose GnuPG keys have been signed by the webmaster (me) -=20
call it an incentive for more keysignings.

So how is it done? Does it involve Kerberos (not used yet) type transfer or=
=20
SSH (used)? Does it involve transferring key data - would that need to be=20
done over a https:// connection (not currently available)? How would it wor=
k=20
with user firewalls? Does it work for only sub-directories within the site =
or=20
must it apply for the entire site? Is there a requirement for a separate=20
client on each user machine (like SSH) which has to be separately installed=
?=20

Does the capability exist yet? (Not being very successful with google so fa=
r=20
on this.)

>
> Similarly for PGP or GnuPG: until the majority of computer users our
> there are using them, and their keys are in the web of trust of the web
> site operators, the web site operators will ignore these too.

I've got a decent web of trust so far without any real effort so I'm hoping=
 it =20
could work for me.

> After several years, I have actually met someone who has a GnuPG public
> key in person. (We exchanged fingerprints after examining each others'
> passports.) At this rate, all this encryption and digital signature
> stuff will be used mostly by hobbyests amusing themselves, and in
> certain very specialized situations.

You need a LUG!

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://slashdot.org/~codehelp


--Boundary-02=_WfFI/Wn0fVY6rL9
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/IFfWiAEJSii8s+MRAgpaAKDcm8wl3XZXLqtiIz9h/QjEXvz9zACeMeu/
0JXqd6gccxeOFn8BmcVEx9M=
=Ot3M
-----END PGP SIGNATURE-----

--Boundary-02=_WfFI/Wn0fVY6rL9--