- From: Story Henry <henry.story@bblfish.net>
- Date: Sun, 28 Feb 2010 15:51:58 +0100
- To: Semantic Web <semantic-web@w3.org>, tls@ietf.org, Working Group HTTP <ietf-http-wg@w3.org>
Hello,
I am looking around to see if anyone knows an algorithm to allow one to produce a one time password [1] from the private key part of an asymmetric key pair.
The article "Public-Key Cryptography and Password Protocols"
http://www.cparity.com/projects/AcmClassification/samples/322514.pdf
shows how to do the inverse.
The idea is to make it possible to authenticate into any web site using this one time password. The public key would be tied to a WebId/OpenId, following something like the following steps:
1. A server should be able to know for any webId/openid the public key of that id
2. the user will have
- the private key
- using its private key (and perhaps a time stamp, or a nonce from the server, ... ) the user's software would calculate a one time password which the user could then send with its WebId/OpenId to the server
3. the server which gets the openid/webid find the public key securely and use
that to verify the one time password (somehow)
This would allow us to make it easy to create RESTful authentication for devices with broken (Safari on desktop and iphone) or non existent client side certificates (Android, and most other phones).
For devices with working client side certificates we have foaf+ssl that works reasonably well currently - though we would love the browser vendors to implement user interface improvements. http://esw.w3.org/topic/foaf+ssl
What we are looking may be impossible. But we can't tell before looking :-)
Also if you know of lists that are open source/open standard spirited that you think I should send this question to, please let me know.
Henry
[1] http://en.wikipedia.org/wiki/One_time_password
http://code.google.com/p/mod-authn-otp/wiki/OneTimePasswords
Social Web Architect
http://bblfish.net/
Received on Sunday, 28 February 2010 15:23:53 UTC