OpenID vs SSL/TLS client certificates

[Daniel Patterson]

Hello all,

   Can someone explain the advantages of OpenID over using
   something like X.509 client certificates?  Perhaps I'm
   not understanding the implications of OpenID, but I'm
   not quite seeing what new thing it does.

   Given that there is a massive deployment of SSL-capable
   clients (including non AJAX clients), wouldn't it make
   more sense to push that technology (assuming that OpenID
   can't do extra magic, please, correct me if I'm wrong)?

   If a user publishes an X.509 self-signed certificate at a
   URL controlled by them, and asserts that URL as their
   ID (i.e. very similar to what OpenID is doing), then
   they can prove ownership of that URL by establishing
   an SSL connection using the corresponding private key
   for that certificate.  Heck, the private key could
   include the URL that the self-signed public certificate
   is posted to, and the user wouldn't even need to supply
   anything. Most modern browsers include a GUI for
   selecting which private key to use that they present when
   they come across an SSL enabled site that requires a client
   certificate, and there are multiple to choose from.

   The only piece I can see missing from the SSL puzzle is
   a tool that makes it easy for people to create, sign
   and publish X.509 certificates (there seems to be this
   impression that certificates have to be issued by
   trusted authorities, which they don't).

daniel