Why haven't asymmetrical keys replaced passwords yet?

imagined security scheme:
1.Generate public/private key pair
2. share public key when creating account with whomever.
3. when logging in, account will send you random string
4. your browser will encrypt string with private key
5. account will decrypt string with your public key, if it is the same string they sent, you are authenticated.


@zacharius Keep in mind that with PKI you can have entirely unauthenticated /transactions/, by instead authenticating / encrypting /content/.

Post to site, and GPG-sign post. Send private message, encrypted to recipient.

Problem here is that there's massive metadata leakage. CCC have covered this in recent years IIRC.

There's also the directory / routing problem.

Sign in to participate in the conversation

Generalistic and moderated instance.