httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Lemaster <>
Subject Re: Proposed: PKI Authentication for secure web access
Date Sun, 21 Nov 2010 23:10:07 GMT
Now that's what I'm talking about. Are you guys hiring?

On Sun, Nov 21, 2010 at 12:06 PM, Graham Leggett <> wrote:

> In our experience, the hardest part about using certificates is overcoming
> the perception held by technical people that it's hard to use certificates.
> Over the last three years, we have rolled out a certificate based
> infrastructure across a large organisation, with certs for all employees and
> external suppliers. The basic premise is that usernames and passwords are
> banned (unless completely unavoidable), and that your certificate gives you
> whatever access you need. Everything that requires "registration" of some
> kind has been configured to auto-register people from details in the
> certificates, so we have no centralised directory of any kind for people
> with certificates. Lots of problems evaporated as a result. When the
> certificate expires, or is revoked, the portcullis comes crashing down and
> you're locked out everywhere. There are no residual "does person X still
> have access" problems.
> For end users, life is simple. If you need to access something, you simply
> go there, job done. No login forms, no registration, no asking somebody for
> access, no "forgot your password" forms, no obscure username that is
> annoyingly different to all your other usernames.
> In our experience, unlike technical people, end users don't know that
> certificates are supposed to be hard, and so have never known they were
> supposed to consider certificates a problem. As a result, it's been very
> successful.
> Regards,
> Graham
> --

View raw message