>>29It's not like people didn't try before (with oauth). It's just that nature of web does not lend itself to something truly robust, as you'd need reasonable pki infra in the first place (which we dont).
Same could be said, for example, about ipsec vs ip. Sure the protocols were designed, but that is a far cry from actual adoption in practice except few niches.
Adoption of
extensions violating the "its simple" rule, and often being imperfect improvements happens only when the original simple things get really, really inadequate. ssh and telnet, https and http...
As for website password forms, you can simply generate per site password from master passphrase (see brainpass) - as a kludge for the lack of robust pki. It's not perfect, but works good enough. Just like how ssh copes with lack of trustworthy CAs in imperfect way, or SSL or DNSSEC being generally horrible protocol wise, yet everyone still sticking with it because its a standard.