OK, my idea is this
Originally Posted by anomie
P is the proxy (say on port 8383)
| P |<--->| U |
| WA |
WA is a web application (say a wiki on port 80)
P and WA are on the same machine running apache and whose name is www.example.com
The user (U) points his browser to www.example.org:8383 and gets a mask asking for a e-mail address and a field where the user crypt a random text (supplied by P) with the secret key of that email address.
If the same text crypted by P using the public key is equal to the one given from the user, the user is authorized to access WA via port 8383.
(WA accepts only localhost request, so anybody has to go thought the proxy and not directly to WA.)
(Details: P looks for the public key on a certain key server and it has to generated from more than n days.)