Marcus Povey and PGP-based login

Marcus Povey is proposing to use PGP/GPG to log into personal websites such as Known.

Where have I heard this before? ;-) Oh, yes, LID, circa 2005, before OpenID etc.

Here is how a digitally signed LID requests looks like, broken into separate lines for better readability:


The URL identifying the entity requesting access, e.g. my blog
for extensibility, specifies the kind of credential provided
a timestamp, to avoid reply attacks (Hi, Marcus!)
the credential, a digital signature over the request and the nonce, from the gpg output without some of the boilerplate

Some more info about LID is on the InfoGrid Wiki.

Do I think this is a good idea? Oh, Yes! Much better than much other stuff that has been bandied about for identity on the internet in the past 9+ years.

Comments are closed.