Kyle Hamilton wrote:
Hey, I just ran into the first application of client certificate authentication requirement on a public US government website that I've seen.
As Nelson write, this isn't really SSL client auth per se, but I agree it is interesting.
Personally, I think this is a huge step forward. While it's still a niche market, the fact that a US government organization is willing to do this suggests that others might in the future.
Speaking to Anders's point about provisioning, I think the largest deployment of client certificates in the US government is probably the DoD PKI implementation, where they solved the provisioning problem in a brute force manner by giving everybody hardware tokens. In other cases you'd have to give some people some incentive to participate; the PTO might be a good place to do so because there's a community of people (e.g., patent and trademark lawyers) who regularly interact with the PTO and are motivated to get in compliance with whatever security measures the PTO puts into place.
(I'm thinking I'd eventually like to see this with the Internal Revenue Service. ;) )
Maybe for a restricted community like tax preparers, but I think the chances of any nationwide certificate use by all taxpayers are very low given the failure of past efforts (like those of the USPS) to establish a general US government-to-citizen PKI.
Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
