Public Key Infrastructure

[kiba]

How about implementing public key encryption across all bitcoin services whenever possible?

[grondilu]

What do you mean?  Should I remind you that ECDSA doesn't support encryption?

[kiba]

What do you mean?  Should I remind you that ECDSA doesn't support encryption?

Replacing password with GPG-like system in the bitcoin economy.

[grondilu]

Replacing password with GPG-like system in the bitcoin economy.

I've been thinking about that some time ago, but now it appears to me that GPG is definitely not appropriate for such use.

However, normally openssl makes use of key pair cryptography.  I can SSH to a distant server without having to enter a password, for instance.  Basically I just have to put my ssh public key on the distant server.

I don't know why no website is doing anything alike.  There is something I must be missing, because as I understand it, HTTPS relies on the same technology.

[ribuck]

... I can SSH to a distant server without having to enter a password, for instance.  Basically I just have to put my ssh public key on the distant server.

I don't know why no website is doing anything alike ...

The websites don't do it because the Certificate Authorities want to protect their business model and have persuaded the major browser makers to support only their profitable system. I think.

[alkor]

Would it be difficult to add a Firefox add-on that lets you log in supported websites using private/public key authentication? So, instead of having to create a separate password for each website, one would just give them his/her public key.

[Mike Hearn]

You can already log in to websites with public/private keypairs, it's called client SSL auth and it sucks, which is why almost nobody uses it.

PKI is way too complicated for the mass market. Studies have shown even many computer science graduates don't understand it.

[bitcoinex]

You can already log in to websites with public/private keypairs, it's called client SSL auth and it sucks, which is why almost nobody uses it.

But it's good enough technology.
I am use it at ~3 sites.

PKI is way too complicated for the mass market. Studies have shown even many computer science graduates don't understand it.

Not for bitcoiners!

I think we (exchanges admins) need to negotiate and implement such a system simultaneously, so that users had nowhere to go.

[Nefario]

Would it be difficult to add a Firefox add-on that lets you log in supported websites using private/public key authentication? So, instead of having to create a separate password for each website, one would just give them his/her public key.

There is already a plugin being developed called gpgauth that does exactly this.

http://www.curetheitch.com/projects/gpgauth/

[ByteCoin]

What do you mean?  Should I remind you that ECDSA doesn't support encryption?

As I have mentioned a few times before, although ECDSA cannot be easily used for encryption, the keypairs used are perfectly suitable for use in some elliptic curve public-key encryption schemes. It is misleading to try to imply that there are significant technological barriers to implementing a public key encryption scheme using bitcoin addresses.

ByteCoin

[grondilu]

Anyway, I think it would be very cool if we could use this to log into this forum.   But I guess cookies do pretty much the same job.

[da2ce7]

If we implemented a simple 'send from address' to login all you would need to do is send a random amount of small coinage to the forum server.  The server can check if you own that address or not; then send it back to you. 

[justusranvier]

Given recent events is there any good reason for websites dealing with Bitcoins not to start migrating to gpgAuth, or at least making it available as an option?

[TonyHoyle]

Would it be difficult to add a Firefox add-on that lets you log in supported websites using private/public key authentication? So, instead of having to create a separate password for each website, one would just give them his/her public key.

No plugin needed.. startssl do it and it works on anything pretty much, as long as you have the root CA (which for them is easy as it's in the default set that ship with the OS, but might have to be transmitted out of band for a bitcoin CA).

They generate and send you a client key that gets stored in your keychain (this is trivial point and click stuff on most browsers).  Then when you visit the site again it requests that cert. and you are logged in.  If you don't have the key, you don't get in.

The only reason it's not used more widely is more inertia than anything else... people are used to usernames and passwords.

[Batouzo]

If we implemented a simple 'send from address' to login all you would need to do is send a random amount of small coinage to the forum server.  The server can check if you own that address or not; then send it back to you.  

Paste public key to the website,
then website shows you a one-time bitcoin address and some random ~0.01xxxxxxxxx btc amount,
you make that transfer and then your public key is recognized.

With keys established, actually, all one would need to do is to sign/decrypt all http requests.

RFC for http-pgp, anyone?   It would be more then http://gpgauth.org/projects/gpgAuth/ which appears to be just for login (thanks for the link above)

[Nefario]

We're already using RSA keypairs for signing in on GLBSE, all done in JavaScript. We're working on making it more convienient, secure and cross site. Would be a sinch to implement on the server, and saves a lot of webapp problems too.

Nefario.