Has anyone already devised a method to create an account and login using only a PGP key? The way I envision the account creation process is that the new user simply uploads his public key, but I am not sure how the login would to work. Maybe send some data to the user and ask him to sign it with his private key? It sounds kinda autistic to me, so I wonder if a better way already exists?
>>fprog-UEV7X7XK (OP) i mean you're basically reinventing hashed and salted password logins with pgp, which seems like a downgrade. you could probably create the account with a public key and have the server send data encrypted with the public key to be decrytped with the user's private key, kind of like a captcha challenge
>>fprog-UEV7X7XK (OP) TLS client certificates are a thing and are also supported by browsers
>>fprog-X35RFOWV → what if doing it with http, for example over tor?
>>fprog-U9BJTA08 TLS over TOR works no?
This is basically what SQRL is. https://www.grc.com/sqrl/sqrl.htm Tl;dr you hash a master key with the domain name to derive a per site key, which you use to log in. Adding something to the domain name before hashing allows you to have multiple identities for the same site.
>Maybe send some data to the user and ask him to sign it with his private key? sounds like challenge response authentication where is challenge is sending the same data back signed
All trademarks and copyrights on this page are owned by their respective parties.
v0.1.1