This blog can't be viewed on LiveJournal. Instead see

Client Certificates: It's easy, man!

21st Apr 2007 recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but I always assumed that it'd never work due to it being complicated and difficult for users to understand. PKI is too complicated for users to understand, right? Why else would almost every site in existance still use passwords as the primary authentication mechanism?

With some scepticism I tried out the client certificate feature on I logged in, went to my account settings, clicked on the “Add a Certificate” button and immediately my browser (Opera) took over and asked me to choose a password to protect my client certificates. I entered one. It then asked me to confirm that I wanted to install the cert. I clicked “Install”. Then it was done. Surely that can't be all there is to it?

So I logged out and went back to the login screen. I elected to log in using a client cert. Opera asked for that password I entered earlier, and then I was logged in. Magic!

Of course, still needs to keep around the username/password support because I may need to log in when I'm not on a computer with a client cert installed. On computers I control, however, I know that I should not enter my username/password at ever again.

This is one of the great things about OpenID: can innovate, and suddenly I benefit from what they develop across every OpenID-enabled site. The hard work can be done in one place and have benefits across the web. I expect that this is just the beginning of the innovation we'll see in the future as OpenID becomes more widespread and OpenID Providers begin to compete with one another on features such as this.