OpenPGP auth

[Pete Chown]

sen_ml at eccosys.com wrote:

> if i dug enough, i could also find a later post from [Werner Koch]
> saying that it would be really nice to have an openpgp packet
> manipulation library too ;-)

Yes -- there have been a few posts along these lines on the gnupg
lists over the last week or so.  I got this wrong; sorry.

> it'd be nice to have openpgp auth in openssh, but i don't suppose the
> priority is that high.  i suppose not having it forces people to use
> different authentication tokens/info (if you had openpgp auth, you'd
> probably be at least tempted to use the same key pairs for mail and
> for ssh authentication) which might actually be a better thing
> security-wise (cf. the all-mighty card system discussion at mit a few
> years back).

My motivation is not really to let people use the same keys for
everything, although that might be useful in some circumstances.

What I think is neat about OpenPGP auth is that it makes access
control more flexible.  You could, for example, grant access to
systems just by signing a key.  If you wanted to withdraw access again
you could revoke the signature.  I will be fascinated to see how well
this works in practice.

-- 
Pete