Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins
mart
apparentlymart

Client Certificates: It's easy, man!

MyOpenID.com recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but I always assumed that it'd never work due to it being complicated and difficult for users to understand. PKI is too complicated for users to understand, right? Why else would almost every site in existance still use passwords as the primary authentication mechanism?

With some scepticism I tried out the client certificate feature on MyOpenID.com. I logged in, went to my account settings, clicked on the “Add a Certificate” button and immediately my browser (Opera) took over and asked me to choose a password to protect my client certificates. I entered one. It then asked me to confirm that I wanted to install the cert. I clicked “Install”. Then it was done. Surely that can't be all there is to it?

So I logged out and went back to the login screen. I elected to log in using a client cert. Opera asked for that password I entered earlier, and then I was logged in. Magic!

Of course, MyOpenID.com still needs to keep around the username/password support because I may need to log in when I'm not on a computer with a client cert installed. On computers I control, however, I know that I should not enter my username/password at MyOpenID.com ever again.

This is one of the great things about OpenID: MyOpenID.com can innovate, and suddenly I benefit from what they develop across every OpenID-enabled site. The hard work can be done in one place and have benefits across the web. I expect that this is just the beginning of the innovation we'll see in the future as OpenID becomes more widespread and OpenID Providers begin to compete with one another on features such as this.

Tags: myopenid, openid, phishing, tls
Subscribe

  • Moved to TypePad

    Apparently.me.uk is now hosted on TypePad rather than LiveJournal. All of the old content remains over here in LiveJournal land, but those who are…

  • Moving the Goalposts

    In the few weeks since I published the first drafts of AtomActivity, ActivitySchema and friends several things have come about: FriendFeed is…

  • Activity Streams and Comment Aggregation

    One pain point that exists for activity streams right now is the dispersal of responses over various networks. When I post a blog entry like this…

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 0 comments