On 6/7/12, Aaron C. de Bruyn <aaron@heyaaron.com> wrote:
A TLS + Client-Side X.509 Certificate for every user.
Heck no to X.509. We'd run into the same issue we have right now--a select group of companies charging users to prove their identity.
The PKI infrastructure and authority validation components are not required. Even if they were -- anyone can setup a PKI infrastructure, the problem is trust. Self-signed certificates are just fine for this application. The authentication credential stored on the server for the user, can simply be the public key of the user's certificate, and the certificate hash. There's no need for the TLS server to verify the client cert is issued by a recognized authority; although it would be nice for there to be Free X.509 certificate authorities to issue a signed TLS cert for E-MAIL address authentication. This would allow websites to accept user signup without a need to spam the user with additional "Click this link here to prove that this is actually your real e-mail address". It should ideally be integrated with the web browser. The user should be prompted to create their certificate by their web browser, and given the option to self-sign an "Anonymous" certificate; use a Free certificate authority, that will list and validate their e-mail address. Or an alternate CA that will validate their e-mail address and optionally additional fields, such as a real name. Only fields listed on a certificate need to be verified. If a site doesn't trust the authority to issue the cert, the connection proceeds, the site just asks the user to prove "Yes, that really is their e-mail address"
SSH does a good job of avoiding the pitfalls that most of those other products have.
SSH is vulnerable to MITM on the first connection to a new host, you are prompted to save a host key, but noone really verifies this. After you've saved a host key, if the host has to change keys for legitimate reasons, such as previous host key compromised, the SSH client refuses to connect, and the user has to manually remove entries from their known_hosts file. Username, password is more user-friendly than the SSH behavior, unfortunately. Which means username/password would still be used in preference.
Active Directory has costs associated with it. Yes
OpenID requires setting up your own server or using a third party. Most options that exists require setting up your own server or using a third party.
Imaging signing up for a site by putting in your email and pasting your public key.
No... that's not convenient or user-friendly enough. "Public what?" There must be a browser integration where the public key is automatically submitted (with the user's permission). There are too many users who don't know how to use "copy and paste". There are too many users not willing to dig into their browser's settings to lookup their public key. -- -JH