[Skip to Content]
contact CTIcontact
gpgAuth : FAQ



What is gpgAuth?

gpgAuth is a mechanism for authenticating users using GnuPG/PGP.

gpgAuth is a process, it is not software, per se. It was designed as way for users and service providers to have an alternative to the legacy Username/Password authentication scheme.

gpgAuth is not limited to web authentication, nor is specific to any platform or operating system.


How does gpgAuth work?

gpgAuth works by defining a policy for generating, exchanging and verifying GnuPG/PGP encrypted tokens between a client and server.

The gpgAuth protocol defines:

  • the advertisement/query of gpgAuth support
  • the process for exchanging tokens
  • the user trust calculation for public keys belonging to servers
  • the selection of public keys for verifying a server/service

The steps involved in the gpgAuth process:

  • The user generates a token of random data and encrypts it to the service's Public Key, and stores the unencrypted version locally.
  • That encrypted token is sent to the server (optionally: with no other identifying data).
  • The server decrypts the token provided by the user and returns it.
  • The client verifies that the data returned matches the data originally sent.
  • The client proceeds by providing a Key ID, or ID's to the server.
  • The server looks up the user by the Key ID(s) and verifies the account is valid and in good standing.
  • The server then generates some random data and encrypts the data to the users Public Key.
  • The client decrypts the data provided by the server, verifies that contents were generated for the authentication and provides the decrypted result to the server.
  • The server compares the decrypted result with the unencrypted data originally generated.


Where can I download gpgAuth?

gpgAuth is not exactly software. I designed gpgAuth and originally wrote some sample code for both the server and client-side process to demonstrate the feasiblity and start a conversation - in hopes that others would become involved and help ratify a defined standard. Due to the lack of interaction/involvement by others, I decided to just go ahead and publish some client utilities myself in the way of browser extensions. Details about client implementations can be found in the "Client implementations" section of this website.

mod_python  gpgAuth Enabled