Upon 2020

Marcus Povey and PGP-based login

Marcus Povey is proposing to use PGP/GPG to log into personal websites such as Known.

Where have I heard this before? ;-) Oh, yes, LID, circa 2005, before OpenID etc.

Here is how a digitally signed LID requests looks like, broken into separate lines for better readability:

http://example.com
    ?lid=http%3A%2F%2Fmylid.net%2Fjernst
    &lid-credtype=gpg%20--clearsign
    &lid-nonce=2014-05-30T16%3A54%3A57.016Z
    &lid-credential=SHA1%0AVersion%3A+GnuPG+v1.4.11+%28GNU%2FLinux%29%0A%0AiEYEARECAAYFAlOIt%2BEACgkQsIOiz0BhWYZ9MACcCelf5T6XyywOZ5jVq3eyMw9m%0A8C4AoJ6Vz47PKR2%2FEvNqDkv7OWFyHdSU%0A%3DpVzh%0A

where:

lid:: The URL identifying the entity requesting access, e.g. my blog
lid-credtype:: for extensibility, specifies the kind of credential provided
lid-nonce:: a timestamp, to avoid reply attacks (Hi, Marcus!)
lid-credential:: the credential, a digital signature over the request and the nonce, from the gpg output without some of the boilerplate

Some more info about LID is on the InfoGrid Wiki.

Do I think this is a good idea? Oh, Yes! Much better than much other stuff that has been bandied about for identity on the internet in the past 9+ years.

May 30, 2014

Johannes Ernst

Digital Identity, Indie Web

indieweb, known

4 responses to “Marcus Povey and PGP-based login”

ShaneHudson says:

May 31, 2014 at 09:46

RT @Johannes_Ernst: Marcus Povey and PGP-based login http://t.co/fuSVLmIxrr #indieweb #lid #pgp #gpg
mapkyca says:

May 30, 2014 at 12:26

@Johannes_Ernst @npdoty @benwerd Heh! There’s nothing new under the sun! ;)
benwerd says:

May 30, 2014 at 12:11

@Johannes_Ernst @mapkyca @npdoty What are the barriers to us just going ahead and using this?
Johannes_Ernst says:

May 30, 2014 at 10:04

@mapkyca @npdoty @benwerd This sounds very familiar :-) http://t.co/QTGl63LkhL