Public-Key authentication for websites from Christoph Hack on 2008-02-15 (public-usable-authentication@w3.org from February 2008)

From: Christoph Hack <c.hack@gmx.at>
Date: Fri, 15 Feb 2008 01:00:39 +0100
To: public-usable-authentication@w3.org
Message-Id: <1203033639.8094.37.camel@tuxmobil>

Hiho everybody,

today Public Keys are very popular and most Internet applications
support GPG-Keys (e.g. lots of Mail readers and Jabber). Those public
keys are much more secure and the user doesn't have transmit his
password and remember it.

But up to now, there aren't any Web Browsers which support a way to
ask the user to sign something with his personal GPG Key. (please tell
me if I'm wrong). But I think if somebody could write a RFC or something
similar for that, there might be a chance of getting this feature into
some full-featured browsers :)

Use Case:
A use case for that could be the authentication handling for a web site.
The websites must provide an (optional) way for the user to attach his
public keys to his profile and when the user wants to log-in, it's
enough if he is able to decrypt or sign a specific message. 

Benefits:
 - the user must not remember different passwords
 - it's probably much more secure than other password handling methods
 - websites could use this as an alternative authentication method
 - Bruce Force attacks against hashes in big databases (like recently on
   phpbb, woltlab, smf) aren't possible any more
 - and yes, I know that this idea is similar to OpenID, but it doesn't
   require any additional services

Problems:
You can't use static messages for signing or decrypting, because then
there is a high risk that somebody might collect and use the
authentication information again. On the other side, completely dynamic
keys allow the server to get any messages signed by the user, probably
with content the user don't want to sign. So there must be a well
defined format (for example a tuple including a general header to
describe the context, a domain and a secret (session)-key)...

So, I am very interested in your opinion now. Do you think there is a
way to get a feature like that? Or is this idea just a crap? 

Regards,
Christoph Hack


PS: I hope this is the right ML to share this idea, if not please
redirect to the right one...

Received on Friday, 15 February 2008 15:09:31 UTC