Fri Jul 25 01:17:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Neil Williams wrote:
> So how is it done? Does it involve Kerberos (not used yet) type
> transfer or SSH (used)? Does it involve transferring key data -
> would that need to be done over a https:// connection (not
> currently available)? How would it work with user firewalls? Does
> it work for only sub-directories within the site or must it apply
> for the entire site? Is there a requirement for a separate client
> on each user machine (like SSH) which has to be separately
I'd think this could be a simple script. Start with a login page that
displays a random selection of text to be signed. The user copies
the text and signs it and pastes it into a textbox. On submit, the
script runs gpg (or gpgv) to verify the signature on the contents of
the textbox. Extract the email address for the login ID. Drop your
info into a session cookie to keep the state as the user surfs your site.
No problems with firewalls, Kerberos, or SSH. Keys would only need to
be passed or retrieved from a keyserver once (unless you already have
the key). Use it for the entire site or by individual page. Your choice.
> Does the capability exist yet? (Not being very successful with
> google so far on this.)
I don't have an answer to this one. I looked, but like you didn't spot
 This could also be a small file with a bit more work involved.
 Or use it to lookup the login ID.
Creating solutions to any problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----