> This isn't really a problem with the servers though, the problem lies
> in the fact that client-side certs are (effectively) unworkable. I
> know of a number of organisations who wanted to use them and ran into
> so many problems just with pilots involving small numbers of
> (presumably) experienced users that they gave up on trying to deploy
> them to the masses. If we had an all- encompassing PKI (ie.if cert
> management was easy) and if we could assume technically clueful users
> and if those users really cared about security (rather than seeing it
> as an impediment to getting their work done, which it often is), then
> client-side certs would be feasible. At the moment they're just not
> workable except within closed communities where you can control a lot
> of the parameters (you run the PKI, you vet the users, and you tell
> them you won't talk to them unless they take the appropriate security
> precautions and hope you don't have competitors who'll let them in
> without this).
It is my understanding that MIT has a number of widely-used web
applications (eg student registration) that have been using only client
certs for authentication for a couple of years with reasonable success.
You might say that this makes your point (these are MIT people, after all,
hence closed, vetted, clueful, etc), but it is reasonably large-scale
(~20K users or so, I think). The point, perhaps, is that this PKI
deployment duplicates, more or less, for the web the functionality that
Kerberos provided ten years ago for its suite of applications (telnet
etc). So it's comforting to know that a PKI can do that much. *8^)*
- RL "Bob"
