On 10/10/12 23:44 PM, Guido Witmond wrote:
2. Use SSL client certificates instead;
Yes, it works. My observations/evidence suggests it works far better than passwords because it cuts out the disaster known as "I lost my password...."
It is what we do over at CAcert, which co-incidentally succeeded because we forced all the Assurers to add client certs to their browsers. Once they had them, we had enough of a user base to make it worthwhile, the chicken & egg problem was solved, and everything else followed.
It's worth noting that you don't need to use a CA at all; the acceptance of the cert is done in the server side, and unlike browsers, it does not enforce the use of a CA. Literally it doesn't enforce anything, nor accept anything; part of the job is to add the code and/or configuration to accept your preferred certs. Beyond scope how to do it, it is typically messt...
The downside of certs on multiple platforms is noted, but one needs to be aware that the people with multiple devices are typically the developers, not the users. In my time with CAcert I've never heard anyone grumble that certificate sign-on is no good because of the platform problem, they just get on and install the certs...
iang _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
