> I hadn't really taken a look at personal certificates until this thread > came up. It looks like thawte is offering personal certificates at no > charge. > > http://www.thawte.com/getinfo/products/personal/contents.html
Yep, and the society I work in develops a GPLed PKI, which is a Perl+PHP+LDAP app for rolling your own certificates (both user and server): http://idx-pki.idealx.com/ Certificates are indeed a straightforward way of getting SSO - but you have to carry your certificate with you whenever you change workstations. Here are reasonable solutions (trading security for convenience): * most secure: use USB crypto tokens (slow and extra per-user price, but will safeguard the private key and destroy it upon attack); * very secure: use dedicated workstations, one per user (impractical), or laptops (expensive but may be amortized with other needs); * not so secure (equivalent of password SSO): carry the key on a floppy, and keep it password-encrypted at all times. On the server side, you have to get your Apache to grok certificates (easy with recent versions of openssl), and the authentication info then gets passed down to PHP and Perl scripts as environment variables ("OK, this guy is called CN=John Doe, OU=sales, O=yourcompany - trust me on this"). You have to patch your apps, sure, but all the burden of binding a bunch of crypto bits to a name is removed from you in a highly secure fashion. -- << Tout n'y est pas parfait, mais on y honore certainement les jardiniers >> Dominique Quatravaux <[EMAIL PROTECTED]>