aaronpk
commented
1 year ago The reference to HTTP Signatures is for client authentication, not user authentication. User authentication is out of scope of the core OAuth spec.
Closed ghost closed 1 year ago
aaronpk
commented
1 year ago The reference to HTTP Signatures is for client authentication, not user authentication. User authentication is out of scope of the core OAuth spec.
Hello!
I think that most part of current authorization methods have a problem - they require user to register an account with specific password at least in one service. This service can further be used as an authentication server for other services. That is nice, that users do not have to share their password between different services (as of what i understand, the problem which is solved with OAuth), but having an account in specific service should not be a requirement.
Cryptography and GPG allows users to send their identity to public server, and then verify their packages/messages/data with digital signatures. This approach can be extended/reused as authorization/authontication mechanism, which will allow user to verify their identity with GPG, instead of creating an account in specific service. This will also reduce the headache of connecting lots of different authorization services, since there would be a unified auth approach, which is not tied to specific authorization server.
Currently OAuth spec has http signatures draft, which allows to sign/verify message with ssh-keys. This should also be possible to GPG for authorization and message verification.