EnigForm – HTML/HTTP forms with OpenPGP

Talking to Buanzo, I have been testing the EnigForm plugin for Mozilla. Briefly, EnigForm gives you OpenPGP signing of HTML forms, based on GnuPG, by setting some HTTP headers with the OpenPGP data. This is quite cool, I imagine two use-cases:

  • PGP-based web-authentication. Type your username, have a hidden form field with a nonce, and have EnigForm sign the data. The server verifies the signature, and you have been logged on.
  • PGP-protected web-based forums, bug-tracking systems, polls, etc. What you write in a HTML form is signed by EnigForm, and the server knows who wrote it, and there is persistent evidence of it. Imagine Debian votes through the web instead of via e-mail!

I think this should be documented and forwarded to the IETF for standardization. It is a good example of a simple invention that uses two existing techniques in a new way.