>> Many site seem happy to manage a password for each user. The state of the art seems to be, let the user select a password, >> and use an e-mail exchange to verify that the user is who they say they are. It seems that it would not be much more complicated >> to let the user present the signature of a public key, and use an e-mail exchange to verify that this is indeed the user's public key. >> Has that been tried already? > > Maybe so. This works fine, but doesn't allow for per-device repudiation.
Sure. But passwords don't support repudiation either... It seems the biggest hurdle would be getting a JavaScript API that connects with a local store of the PGP or GPG key. -- Christian Huitema _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
