Marcus Povey is proposing to use PGP/GPG to log into personal websites such as Known.
Where have I heard this before? ;-) Oh, yes, LID, circa 2005, before OpenID etc.
Here is how a digitally signed LID requests looks like, broken into separate lines for better readability:
http://example.com
?lid=http%3A%2F%2Fmylid.net%2Fjernst
&lid-credtype=gpg%20--clearsign
&lid-nonce=2014-05-30T16%3A54%3A57.016Z
&lid-credential=SHA1%0AVersion%3A+GnuPG+v1.4.11+%28GNU%2FLinux%29%0A%0AiEYEARECAAYFAlOIt%2BEACgkQsIOiz0BhWYZ9MACcCelf5T6XyywOZ5jVq3eyMw9m%0A8C4AoJ6Vz47PKR2%2FEvNqDkv7OWFyHdSU%0A%3DpVzh%0A
where:
- lid:
- The URL identifying the entity requesting access, e.g. my blog
- lid-credtype:
- for extensibility, specifies the kind of credential provided
- lid-nonce:
- a timestamp, to avoid reply attacks (Hi, Marcus!)
- lid-credential:
- the credential, a digital signature over the request and the nonce, from the gpg output without some of the boilerplate
Some more info about LID is on the InfoGrid Wiki.
Do I think this is a good idea? Oh, Yes! Much better than much other stuff that has been bandied about for identity on the internet in the past 9+ years.
Comments
4 responses to “Marcus Povey and PGP-based login”
RT @Johannes_Ernst: Marcus Povey and PGP-based login http://t.co/fuSVLmIxrr #indieweb #lid #pgp #gpg
@Johannes_Ernst @npdoty @benwerd Heh! There’s nothing new under the sun! ;)
@Johannes_Ernst @mapkyca @npdoty What are the barriers to us just going ahead and using this?
@mapkyca @npdoty @benwerd This sounds very familiar :-) http://t.co/QTGl63LkhL