Why URL?

[Brad Fitzpatrick]

Short answer:

This is an practical identity system for the masses, not one for idealists
and dorks.

End-users don't understand crypto, and even those that do
(including myself) still don't use it often.

- Brad



On Wed, 17 Aug 2005, Alexey Khmara wrote:

> Hello.
>
> I'm not sure, if it's the correct place for my question, but I can't
> find better.
>
> I cannot understand, why bind a digital identity to particular URL? Why
> not use pair of PGP keys or something like this?
> Scheme:
>
> User gives to site-consumer URL of site, that handles digital ID requests.
> Site-consumer queries this url and obtains public key.
> Then, it encrypts some string with this key and gives it throught user
> agent to server with it's own public key (or it's URL). Server asks user
> for login/password or in some other way ensures in user's identity. If
> ok, it decrypts string, using user's private key and encrypts it wyth
> client's public key. Then, answer is sent back to site-client. It
> decrypts answer and compares it with original string, that must be
> identical.
>
> So, user identified by public key. So, he/she can use multiple servers,
> that support one identity, and if one don't work can easily use another.
> Also, if even identity server wil die, user (provided that he backed up
> his pair of keys) can establish new server, not losing identity.
>
> Other (may be, unrelevant) idea: user agent can intercept queries to
> some identity server and handle these queries by self, so user don't
> need to rely on any external servers to provide identity.
>
> Sorry for may bad English...
>
> WBR, Alexey Khmara
>
>
>
>