On Tue, 28 Feb 2017 01:28, gl...@rempe.us said: > What though is the benefit of using gnupg key as the crypto behind the > client auth? Seems like you are more exposed by having a portable gpg
It is up to the user where to store the key. For obvious reasons the user should use a token (e.g. gnuk or another OpenPGP smartcard, or one of the other supported X.509 smartcards). Frankly, I don't really understand the use case for U2F? Why not using plain user certificates which is supported by browser and servers for ages? Is that because the web frameworks don't have good support for this? An old argument against user certificates was the need to purchase a device or a certificates. Now U2F requires that you purchase a device anyway, thus this would void that argument. With OpenPGP a web service could ask for the user's public key during enrollment and sign that key with their key. The login procedure can then send a challenge, verify it and check that the key has been signed (OpenPGP key signature) by their key. That would be a decentralized system and only the enrollment needs to care about user data and such. The user could use the very same key (toke) for other services as well because other service providers can either add their own key signature or thus the key signature of another service provider. Well, backup is certainly an issue but one which can be solved - in particular when the tokens are produced by the service provider. The OpenPGP card spec provides secure messaging and a few other feature, which we once designed for a similar purpose: A service provider was able to update the user's cards over the net (time-based travel cards). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
pgpCKgBeKQifj.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users