Hey, I just ran into the first application of client certificate authentication requirement on a public US government website that I've seen.
[link] https://sportal.uspto.gov/secure/portal/efs-unregistered [/link] has information on the "unregistered submission" process, but it also strongly encourages people to register. The information on the "PAIR" system they have indicates that the private, not-yet-submitted information will only be accessed or accepted if the client computer authenticates via certificate, as well. (I don't yet know details about their hierarchy. I'm working on it, though. However, I think that it's extremely likely that they're using a private-label CA for the certificate issuance.) Personally, I think this is a huge step forward. While it's still a niche market, the fact that a US government organization is willing to do this suggests that others might in the future. (I'm thinking I'd eventually like to see this with the Internal Revenue Service. ;) ) -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
