Marcus Povey and PGP-based login

Marcus Povey is proposing to use PGP/GPG to log into personal websites such as Known.

Where have I heard this before? ;-) Oh, yes, LID, circa 2005, before OpenID etc.

Here is how a digitally signed LID requests looks like, broken into separate lines for better readability:

http://example.com
    ?lid=http%3A%2F%2Fmylid.net%2Fjernst
    &lid-credtype=gpg%20--clearsign
    &lid-nonce=2014-05-30T16%3A54%3A57.016Z
    &lid-credential=SHA1%0AVersion%3A+GnuPG+v1.4.11+%28GNU%2FLinux%29%0A%0AiEYEARECAAYFAlOIt%2BEACgkQsIOiz0BhWYZ9MACcCelf5T6XyywOZ5jVq3eyMw9m%0A8C4AoJ6Vz47PKR2%2FEvNqDkv7OWFyHdSU%0A%3DpVzh%0A

where:

lid:
The URL identifying the entity requesting access, e.g. my blog
lid-credtype:
for extensibility, specifies the kind of credential provided
lid-nonce:
a timestamp, to avoid reply attacks (Hi, Marcus!)
lid-credential:
the credential, a digital signature over the request and the nonce, from the gpg output without some of the boilerplate

Some more info about LID is on the InfoGrid Wiki.

Do I think this is a good idea? Oh, Yes! Much better than much other stuff that has been bandied about for identity on the internet in the past 9+ years.

Comments are closed.