In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote: > Heck no to X.509. We'd run into the same issue we have right now--a > select group of companies charging users to prove their identity.
Why?
A user providing the public half of a self-signed certificate is
exactly the same as the user providing the public half of a
self-generated SSH key.
The fact that you can have a trust chain may be useful in some
cases. For instance, I'm not at all opposed to the idea of the
government having a way to issue me a signed certificate that I
then use to access government services, like submitting my tax
return online, renewing my drivers license, or maybe even e-voting.
The X.509 certificates have an added bonus that they can be used
to secure the transport layer, something that your ssh-key-for-login
proposal can't do.
This is all a UI problem. If Windows/OSX or Safari/Firefox/Chrome
prompted users to create or import a "user certificate" when first
run, and provided a one-click way to provide it to a form when signing
up there would be a lot more incentive to use that method. Today pretty
much the only place you see certificates for users is Enterprises with
Microsoft's certificate tools because of the UI problem.
--
Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
pgpWPTkGZcThO.pgp
Description: PGP signature
