[lukev]

The only ultimate, secure, technically valid solution to single sign-on is 2-way SSL.

Unfortunately, for this to work, several things need to happen:

1) Users need to learn what a private key is.

2) Browsers need to provide flexible, intuitive, easy-to-use user key support that's not tucked away in 3 levels of dialogs/tabs.

3) We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)

[eli]

Anything that starts with, users need to learn <new technical concept> seems doomed to fail.

[lukev]

Not if it provides a significant-enough benefit. How many people had "passwords" as a daily part of their life before 1995 or so?

Every technology is new at some point. My thesis is that keys are not that hard and technical people should actually try to push understanding of them into the non-techie realm. If they fail, they fail, but if they succeed, it would make all computing so much more secure.

Edit: I should also point out that it's not really any more complicated than OpenID, and people seemed willing to give that a fair shake, at least to the extent that a lot of sites implemented it.

[pbhjpbhj]

Most people in my country of adult age. PIN (bank ID code) are effectively passwords.

[rahoulb]

Kids have used passwords in games for years. everyone's seen spy movies. the story of alladin is part of popular culture.

but "here is a thing in two parts, one of which you give to everyone but one of which you need to keep absolutely to yourself or you're screwed" doesn't have a common analogy. even the "i give you an open box with a padlock" analogy can feel a bit contrived.

However I also feel that there was no cohesive attempt at building a similar story for OpenID - which is a shame as it could be as simple as "tell us which site you want to log in via and we'll do the rest"

[jarek]

Public key = your address. Private key = the key to the front door.

[jerf]

It is doomed to fail. It is also the only actual solution. Therefore, there is no possible successful solution. Sometimes things work out that way.

[tbrownaw]

> We need good key-management tools so I can log on to sites from internet cafes, etc (perhaps a session-lived key cache in the browser, with support for syncing it remotely?)

Giving out your private keys like that (what, you actually trust an internet cafe computer?) is a rather bad idea. Instead have a service that your local client can authenticate to (with a normal password if you trust your client, or rsa keyfob, or application that makes your phone act like a keyfob), that acts vaguely like either ssh-agent (with the connection established in the opposite direction) or a kerberos KDC (which would let you not need to keep track of privkeys).

[rapind]

I use this and am pretty happy with it. http://passwordmaker.org/

Uses the site's domain as a salt though which isn't exactly secure if whoever hacks the database decides to ignore the low-hanging unencrypted fruit and crack your password. You can configure the encryption settings a bit though and add your own pre-salt kinda deal.