Re: Browser usability of Certificates - List of issues

On Fri, Nov 21, 2014 at 7:37 AM, Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2014-11-21 12:58, henry.story@bblfish.net wrote:
> <snip>
>
>> Ok, in your case as you are creating certificates for the BBC (and its
>> partners?),
>> which is a large enough community for these to having meaning. Perhaps an
>> explanation
>> of how you use certificates would be useful. Where do people login with
>> your
>> Certificates? Only on the BBC site? Or also partner sites?
>>
>> In general CA requirements make it impossible to use for any
>> company smaller than the BBC. Particularly it makes it useless
>> for individuals or small companies, as without a CA nobody would
>> recognise their certificate. It would only be useable for their
>> own site, in which case username/passwords would be all that is
>> needed.
>>
>
> Henry,
> PKI (when it works) is just a better version of username/password.
>
Actually it is a lot more than that, and this is probably the "key" (sic)
element you're missing. PKI does not require servers to create and manage
usernames/passwords. Instead, it allows for a completely decentralized
system based on (a certain level) trust. You _cannot_ create
usernames/passwords apriori for the whole planet. :-)

-- Andrei

>
> How far a specific certificate takes you is identical to any other login
> mechanism.
> Enterprise certificates typically aren't used outside of the enterprise.
>
> If your company is using AD, PKI comes for free as a part of the MSFT
> package.
> For this market PKI works reasonably well and this is the only market MSFT
> cares about.
>
> Anders
>
>
>
>

Received on Friday, 21 November 2014 14:12:54 UTC