On Aug 7, 2014, at 6:01, "Brian Wolff" bawolff@gmail.com wrote:
I've long wondered about that. Are there really no browser based public key based solutions? Are there any fundamental reasons why that is like that other than that it never got implemented, or never became popular?
It seems like the "right" solution for the password problem.
-Martijn
I think TLS has a feature where the client can also provide a certificate, in order to use certificates to authenticate users. I've never heard of a site actually using it.
I'd have to research the particulars, but I've seen many government/corporate sites use TLS for user authentication with the Apache HTTP Server or JBoss. I know we bounced the client certs off of CAs and CRLs on the server for authentication, but don't remember how we shared the distinguished name (DN) with the higher level program (e.g. PHP) for authorization. I'll see what I can find.
--Shawn