On 24 March 2013, at 01:03, CeDeROM <cede...@tlen.pl> wrote:

> Why don't you just use PKI for authentication (you can generate your
> own certificates)? You can easily upload keys/certificated to client
> machines (PC, Android, Apple, ...). That should work :-)

Thats exactly what I have been testing.  Its easy in concept, but there are 
issues in the details.  Once the certificate is loaded in a Mac and the 
password entered, its available for anyone to use thereafter.  You actually 
have to remove the certificate from the keychain to disable it.  Not a great 
approach for shared computers.  Most users will not know how to remove it 
properly.  I don't know about PCs yet though.  In addition there are possible 
issues with mail clients.  I have not tried them yet.  It all depends if they 
can handle p12 format certificates.  Pem format certificates must have the 
private key in plain format which renders them completely insecure.

Then there still is the issue about Safari (at least) not handling the no 
certificate case properly.

-- Doug

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to