pgp logins

[Eugene Smiley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neil Williams wrote:
> So how is it done? Does it involve Kerberos (not used yet) type
> transfer or SSH (used)? Does it involve transferring key data -
> would that need to be done over a https:// connection (not
> currently available)? How would it work with user firewalls? Does
> it work for only sub-directories within the site or must it apply
> for the entire site? Is there a requirement for a separate client
> on each user machine (like SSH) which has to be separately
> installed?

I'd think this could be a simple script. Start with a login page that
displays a random selection of text to be signed[1]. The user copies
the text and signs it and pastes it into a textbox. On submit, the
script runs gpg (or gpgv) to verify the signature on the contents of
the textbox. Extract the email address for the login ID[2]. Drop your
info into a session cookie to keep the state as the user surfs your site.

No problems with firewalls, Kerberos, or SSH. Keys would only need to
be passed or retrieved from a keyserver once (unless you already have
the key). Use it for the entire site or by individual page. Your choice.

> Does the capability exist yet? (Not being very successful with
> google so far on this.)

I don't have an answer to this one. I looked, but like you didn't spot
anything.


[1] This could also be a small file with a bit more work involved.
[2] Or use it to lookup the login ID.

- --
Creating solutions to any problem.

http://www.biglumber.com/
http://openpgp.meetup.com/
http://ca.groups.yahoo.com/group/GSWoT/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/IGlF6QPtAqft/S8RAnWKAKDQdyvNKGenhwY01f98T3dfCYf5kACeL3Id
o61hiRa2h+8j1zwuc/MgZyQ=
=Ev1x
-----END PGP SIGNATURE-----