JS API for auto-generating public keys


There should be an API to get an unspecified public key compatible with the current TLS version.

It should be rate-limited and should look something like this:

var key;
try {
key = make_pubkey(username);
} catch (e) {
alert("you're doing that too much");

And then the server can associate the key with the user account, eliminating the need for logins. The browser should automatically use the key on next visit to the server, and may provide choice for multiple keys, but preferably should try every key and the server may provide a choice for all identities it detects.

It should only be available on HTTPS ofc.

Malicious scripts can generate keys but considering the rate limit + the extra keys don’t do anything except slow down loading slightly, and they can’t access the private keys at all, this should be just fine.

(Alternatively shove this into HTTPS headers somehow. That could be (more) dangerous on public computers tho, if they’re configured to auto-accept all public key generation, as you’d expect the user to “link current computer” from a settings/preferences pane.)


You may want to take a look at SQRL it is a proposed idea for using public key technology to handle secure authentication with web sites.

It isn’t quite as simple to do as “just generate a public key and send to server”. There needs to be some private component that the user has access to to compare against for authentication. The user also needs to know to keep the private component backed up safely. They may also need it on multiple devices to authenticate with.

Using public key systems to do web authentication is being explored. But I feel it is still too early for browsers to jump into pushing it just yet. Some open experimentation is needed first to understand how a wider range of people will respond to this kind of shift away from passwords.


“No separate identities” is a bit of a bummer - I use two accounts for mastodon, on the same instance, and I’d like to keep them separate. how do I go about doing that?

By having arbitrary key generation, with no way for the website to access the private side of the key, you can trivially have multiple, separate identities. But with that thing it’s a complete PITA.