Sunday, October 7, 2012

web of trust instead of lastpass

Why can't/don't we use public key crypto for authenticating on google, facebook, etc., all the web 2.0 services? Instead of all the usual jazz, why don't I just hand out my public key to the various services? It would provide better authentication more securely.

It is inconvenient to have a separate username and password for every service I use. There are various security issues.

One strong implication of using public key crypto: I'd better never lose my private key.

What happened to the cipherpunks and their web of trust idea?
I could make it  so my wife can also unlock my stuff with her private key, or my lawyer, in case of my death.

It would be best if the services themselves accepted public keys for authentication. But we could create a web app or software like lastpass. It would maintain a database of my usernames and passwords with the URLs of the services they match, encrypted with my public key. It could automatically update/randomize my passwords. This sounds so simple, does it exist somewhere already and I don't know?

No comments: