Martin Atkins (mart) wrote in apparentlymart,
Martin Atkins

Client Certificates: It's easy, man! recently added support for logging in with client certificates. I've heard people talking about client certificates lots of times, but I always assumed that it'd never work due to it being complicated and difficult for users to understand. PKI is too complicated for users to understand, right? Why else would almost every site in existance still use passwords as the primary authentication mechanism?

With some scepticism I tried out the client certificate feature on I logged in, went to my account settings, clicked on the “Add a Certificate” button and immediately my browser (Opera) took over and asked me to choose a password to protect my client certificates. I entered one. It then asked me to confirm that I wanted to install the cert. I clicked “Install”. Then it was done. Surely that can't be all there is to it?

So I logged out and went back to the login screen. I elected to log in using a client cert. Opera asked for that password I entered earlier, and then I was logged in. Magic!

Of course, still needs to keep around the username/password support because I may need to log in when I'm not on a computer with a client cert installed. On computers I control, however, I know that I should not enter my username/password at ever again.

This is one of the great things about OpenID: can innovate, and suddenly I benefit from what they develop across every OpenID-enabled site. The hard work can be done in one place and have benefits across the web. I expect that this is just the beginning of the innovation we'll see in the future as OpenID becomes more widespread and OpenID Providers begin to compete with one another on features such as this.

Tags: myopenid, openid, phishing, tls

  • The next evolution for OpenID?

    This morning at IIW Dick Hardt presented his vision for solving the issue whereby a user is dependent on his OpenID provider being up and non-evil.…

  • HTML 5 vs. Yadis

    One of the ways that the Yadis specification allows for the XRDS document location to be declared is via the X-XRDS-Location header embedded via a…

  • OpenID Service Authentication revisited

    Last time I wrote about the “three facets” of OpenID service authentication. LukasRos has been writing about a slight variation on the theme: some…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.