On Tue, Jan 19, 2016 at 6:26 PM, Mick <michaelkintz...@gmail.com> wrote: > > You can use apache client authentication with SSL certificates only. Of > course you will need to create a self-signed CA, which you will use to create > the web server public/private key pair and also sign each client's certificate > and upload it along with your CA certificate to the user's browser. This > explains the principle: > > If a user certificate is lost of feared compromised, you revoke it with your > CA and upload the CRL to the server.
The problem is, how would you know? In a traditional browser (including Mozilla and Chrome on anything but a Chromebook) the key associated with the certificate is stored in a file on disk. Sure, it might be encrypted with a hand-typed password, but those passwords are not hard to brute force, and susceptible to keyloggers anyway. Those keys also are unencrypted in RAM while in use. If something stole a copy of your key, you'd likely never know. But, I agree they can be revoked if you discover the issue. Now, a solution a more traditional desktop is to use an SSL key stored on a smartcard, which I'm sure Diego has blogged about on planet.gentoo.org as he is into those. That has all the advantage of the TPM as far as key security goes. However, you're still vulnerable to xss and keyloggers and such. Sorry to nitpick. I'd love to see more linux-based options for an ultra-secure platform. It is impressive that Google managed to commercialize one - you can accomplish quite a lot with FOSS tools if you put the time into it. -- Rich
