On Aug 7, 2014, at 6:01, "Brian Wolff" <bawolff(a)gmail.com> wrote:
I've long wondered about that. Are there really no browser based public key
based solutions? Are there any fundamental reasons why that is like that
other than that it never got implemented, or never became popular?
It seems like the "right" solution for the password problem.
-Martijn
I think TLS has a feature where the client can also provide a
certificate, in order to use certificates to authenticate users. I've
never heard of a site actually using it.
I'd have to research the particulars, but I've seen many government/corporate
sites use TLS for user authentication with the Apache HTTP Server or JBoss. I know we
bounced the client certs off of CAs and CRLs on the server for authentication, but
don't remember how we shared the distinguished name (DN) with the higher level program
(e.g. PHP) for authorization. I'll see what I can find.
--Shawn