[sldev] OpenID vs. current proposal vis a vis security

[Kamilion]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, I've got an idea.

I've just been sitting here, reading all this discussion on this
authentication scheme, and then I went to go log into my linux box
with putty, and it hit me.

SSH has a pretty freakin' good public/private key system.

How feasible would it be to generate a SSH-like private and public key
for each account based on it's current password as the passphrase?

The code's easily found by poking through an SSH daemon like openssh
(Win, Lin, OSX), Dropbear (Lin, OSX) and Putty/WinSCP/Pagent on
windows &  ssh-agent on OSX/Linux.
All GPL-v2, AFAIK.

This would allow a very strong, open, and secure implementation.

The client would basically contain a Pagent/ssh-agent that held a
keyring of private keys issued by the server, available once logged in
on the website.

The keyring could hold access to any keypair the user has added (alt-list).

This also solves the problem of logging in at an internet cafe or a
friend's place, with a simple addition of one-time-use keys, even
allowing a different password for a OTU pair.

Comments, flames?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: http://firegpg.tuxfamily.org

iD8DBQFG/5Iu+Hm92PVlrtQRAmW5AJ9S+Yd9k1HbsHGrExBZbjMi/D/yvACghBN7
BEtz1W+FKBxdhjHwxmHJd18=
=wyvC
-----END PGP SIGNATURE-----