"RL 'Bob' Morgan" <[EMAIL PROTECTED]> writes:
>> It is my understanding that MIT has a number of widely-used web
>> applications (eg student registration) that have been using only client
>> certs for authentication for a couple of years with reasonable success.
>> You might say that this makes your point (these are MIT people, after all,
>> hence closed, vetted, clueful, etc), but it is reasonably large-scale
>> (~20K users or so, I think). The point, perhaps, is that this PKI
>> deployment duplicates, more or less, for the web the functionality that
>> Kerberos provided ten years ago for its suite of applications (telnet
>> etc). So it's comforting to know that a PKI can do that much. *8^)*
One might argue if the PKI is really doing this much. MIT's system
uses Kerberos to bootstrap. Users authenticate via kerberos to a
service which then signs your public key and sends back the
certificate. This has the nice property of end-running many of the
problems which surround PKI infrastructures. If a user needs to use a
cert from more than one machine or environment, or they forget their
browser password (which encrypts the private key), or they lose the
cert, they can just get another one from the cert server. Since
getting a new one is relatively easy, certs expire after a year.
Notably, this system does not address revocation.
Also, last I checked, MIT's system also required Netscape, since IE
just couldn't be made to work. The client software has a long way to
go.
Marc
P.S. No, I don't know if the code is available, or from where.
