|
Title: Public key as ID for market account system Post by: Nefario on January 24, 2011, 09:20:00 AM In building the stock market application I want to use the public key from an RSA generated pair as the account owners id, so no username or password, just the public key.
If they wanted to use another keypair(for example the one they have is compromised) they can keep the same public key as an ID but the actuall public key used for authentication is a new one. Is this a good idea? Or is it a better choice to use an email address as the users ID (remember the ID must be unique), this way a user can change the keypairs used for their account How does bitcoin manage this? It can generate many keys (bitcoin addresses) for a single wallet, what is the id used in the wallet(that owns all those public keys?)? Title: Re: Public key as ID for market account system Post by: davout on January 24, 2011, 09:29:19 AM Nobody "owns" them, the keypair is in your keystore or it isn't.
As for the User ID you should stick with something unique, account number, random hash, whatever and use the key for authentication (but not for identification). Title: Re: Public key as ID for market account system Post by: gene on January 27, 2011, 11:15:45 AM I think that using ssh keys would be great. Let the user choose a username or automatically create a unique hash and authenticate against the ssh key.
This is far stronger than typical password/email authentication schemes. Of course, it could complement an enhanced scheme: perhaps give the user the option to allow key resetting via a PGP-encrypted mechanism. The user would have to upload a public PGP key and email, but would ensure that the mechanism would only be usable by whoever has the private PGP key. Normal authentication via ssh key and PGP-protected credential resetting mechanism, in case of ssh key loss. |