Ironically, the feedback that we received from Bill Shannon was that certificates are hard to manage but everyone knows how to deal with username/password (I'm paraphrasing). For example, the certificate management infrastructure depends on what SSL libraries you are using (OpenSSL, NSS, JSSE), and it gets harder if you have a mixture of applications that use different libraries especially when also dealing with multiple operating systems. Now it might be the case that some of this is unfounded bias from older systems, and all of this has been fixed now. That's why I'm looking for references to help answer questions in this area.
Thanks. Tom Darren J Moffat wrote: > Tom Mueller (pkg-discuss) wrote: > >> Is there a write up explaining why client certs are being used for >> authentication to authorities rather than say, username/password? >> > > Why not use them ? What problem is it causing you ? > > They provide much better security than username password in a number of > ways. They provided a better binding that you know you you are talking > to and it happens in the SSL exchange rather than the application. > Certificates can be revoked and managed in ways that is more useful for > dealing with entitlement issues. > > This is a new system being developed from scratch so it is the perfect > opportunity to not implement weak and hard to manage security mechanisms > like username/password. > > _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
