Hi, In theory SSL-client-authentication ought to be the only way to authenticate to web-servers using PKI.
I reality this is not the case in many large-scale PKIs. In addition, things have been complicated by the introduction of Microsoft's CardSpace (formerly InfoCards) system, which uses signed XML assertions for login. The question then arises: what should we actually use? Here comes a number of side-effects by using SSL-client-authentication: a.. Typically radically different user-interfaces between authentication and signature operations with respect to certificates b.. Entirely different technical methods for (pre)selecting target certificate(s) c.. That authentication is performed in the transport layer is a disadvantage when using external SSL hardware accelerators d.. A subtle difference between authentication and signing is that signatures do not necessarily require that the issuer is known in advance, while SSL-client-authentication usually does e.. SSL-client-authentication in general has a rather awkward user-interface. This should be compared to other built-in HTTP authentication schemes (like Basic or Digest) which hardly nobody use because "forms are much prettier" My conclusion is that it is too early to settle on SSL-client-authentication (only), and that it is important to create a PKI-based alternative that matches form-based authentication. Security-wise there are no differences, assuming appropriate methods are used. Comments? Anders Rundgren _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
