httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: Proposed: PKI Authentication for secure web access
Date Sun, 21 Nov 2010 20:06:30 GMT
On 21 Nov 2010, at 6:59 AM, Sander Temme wrote:

>> Thanks for the link Issac. If this is already in Apache, why isn't
>> everyone using it?
> Because key management is just too freaking hard, and too much of a  
> management and support burden.
> For God's sake, if we can't even get the Apache developer community  
> to use PGP without handholding, how would you expect the general  
> public to handle this tech?

In our experience, the hardest part about using certificates is  
overcoming the perception held by technical people that it's hard to  
use certificates.

Over the last three years, we have rolled out a certificate based  
infrastructure across a large organisation, with certs for all  
employees and external suppliers. The basic premise is that usernames  
and passwords are banned (unless completely unavoidable), and that  
your certificate gives you whatever access you need. Everything that  
requires "registration" of some kind has been configured to auto- 
register people from details in the certificates, so we have no  
centralised directory of any kind for people with certificates. Lots  
of problems evaporated as a result. When the certificate expires, or  
is revoked, the portcullis comes crashing down and you're locked out  
everywhere. There are no residual "does person X still have access"  

For end users, life is simple. If you need to access something, you  
simply go there, job done. No login forms, no registration, no asking  
somebody for access, no "forgot your password" forms, no obscure  
username that is annoyingly different to all your other usernames.

In our experience, unlike technical people, end users don't know that  
certificates are supposed to be hard, and so have never known they  
were supposed to consider certificates a problem. As a result, it's  
been very successful.


View raw message