East Bay Ruby people:
I hope this is the right place for this. Please let me know if it's improper.
So I'm tackling my first Rails application. It will have the usual
list of user accounts, but I'm challenged by the user authentication
scheme. Instead of (or in addition to) conventional password
authentication, I'd like to use some sort of public-key scheme for
I'm thinking a user can tell my app their public key when they sign
up for an account. During user login, my app will encrypt a snippet
of random data using the public key on file, which the user's browser
will then somehow decrypt and return. This way I can be sure the user
knows his own private key, without my end or the Internet ever seeing
that private key. The encryption scheme can be light- to heavy-duty
as needed. The main point is that passwords suck. Not only are they
often insecure in transit, but they must be changed frequently and
not re-used at multiple servers, and they should be full of funny
characters, and all those annoying things that cause people to just
leave everything half-locked all the time. The sort of authentication
protocol I have in mind allows a user to safely re-use a key all over
town, and the public key data can be handled with total carelessness
because it's published anyway.
So, has anyone heard of an existing login protocol that sounds
anything like this? And if not, does anyone have ideas on how to make
one for a Rails app?