Client Authentication

[Doug Hardie]

On 24 March 2013, at 01:03, CeDeROM <cederom at tlen.pl> wrote:

> Why don't you just use PKI for authentication (you can generate your
> own certificates)? You can easily upload keys/certificated to client
> machines (PC, Android, Apple, ...). That should work :-)
> 

Thats exactly what I have been testing.  Its easy in concept, but there are issues in the details.  Once the certificate is loaded in a Mac and the password entered, its available for anyone to use thereafter.  You actually have to remove the certificate from the keychain to disable it.  Not a great approach for shared computers.  Most users will not know how to remove it properly.  I don't know about PCs yet though.  In addition there are possible issues with mail clients.  I have not tried them yet.  It all depends if they can handle p12 format certificates.  Pem format certificates must have the private key in plain format which renders them completely insecure.

Then there still is the issue about Safari (at least) not handling the no certificate case properly.

-- Doug