Re: Browser usability of Certificates - List of issues

On 21 November 2014 15:12, Andrei Sambra <andrei.sambra@gmail.com> wrote:

>
>
> On Fri, Nov 21, 2014 at 7:37 AM, Anders Rundgren <
> anders.rundgren.net@gmail.com> wrote:
>
>> On 2014-11-21 12:58, henry.story@bblfish.net wrote:
>> <snip>
>>
>>> Ok, in your case as you are creating certificates for the BBC (and its
>>> partners?),
>>> which is a large enough community for these to having meaning. Perhaps
>>> an explanation
>>> of how you use certificates would be useful. Where do people login with
>>> your
>>> Certificates? Only on the BBC site? Or also partner sites?
>>>
>>> In general CA requirements make it impossible to use for any
>>> company smaller than the BBC. Particularly it makes it useless
>>> for individuals or small companies, as without a CA nobody would
>>> recognise their certificate. It would only be useable for their
>>> own site, in which case username/passwords would be all that is
>>> needed.
>>>
>>
>> Henry,
>> PKI (when it works) is just a better version of username/password.
>>
> Actually it is a lot more than that, and this is probably the "key" (sic)
> element you're missing. PKI does not require servers to create and manage
> usernames/passwords. Instead, it allows for a completely decentralized
> system based on (a certain level) trust. You _cannot_ create
> usernames/passwords apriori for the whole planet. :-)
>

Unless the username is the fingerprint and the password is the key material.


>
> -- Andrei
>
>>
>> How far a specific certificate takes you is identical to any other login
>> mechanism.
>> Enterprise certificates typically aren't used outside of the enterprise.
>>
>> If your company is using AD, PKI comes for free as a part of the MSFT
>> package.
>> For this market PKI works reasonably well and this is the only market
>> MSFT cares about.
>>
>> Anders
>>
>>
>>
>>
>

Received on Friday, 21 November 2014 14:16:02 UTC