16 Jun 2005 error27   » (Journeyer)

I've been thinking about signing recently. The truth is I'm a bit naive about the whole crypto scene but signing seems like an under used tech.

For example, when you register a domain name like noodle.com they could authenticate your public key. Then you'd set up your email server to sign all outgoing email as coming from noodle.com. Then when the guy on the other end recieves it he's can tell if it's fake noodle.com spam. You'd still be able to send anonymous email, but it would be detected on the other side if it was impersonating someone else.

Single sign on sounds like a good thing too. Someone registers your email and public key. A web site sends you a token, and you sign it. It checks against your public key. Authenticated.

In fact, it seems like passwords are a bad idea in general. It would be better to just use signing to authenticate who you are. That way you don't have to send your password over the wire and the server doesn't have to store your password, only your public key.

Perhaps you would have a key server that serves public keys. You would use a password for that so that later if you lost your private key you could reset your account. But all the rest of the time, you wouldn't use passwords you would only sign stuff.

I'm starting to ramble...

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!