OpenID vs SSL/TLS client certificates
danpat at danpat.net
Mon Jul 18 21:16:07 PDT 2005
Can someone explain the advantages of OpenID over using
something like X.509 client certificates? Perhaps I'm
not understanding the implications of OpenID, but I'm
not quite seeing what new thing it does.
Given that there is a massive deployment of SSL-capable
clients (including non AJAX clients), wouldn't it make
more sense to push that technology (assuming that OpenID
can't do extra magic, please, correct me if I'm wrong)?
If a user publishes an X.509 self-signed certificate at a
URL controlled by them, and asserts that URL as their
ID (i.e. very similar to what OpenID is doing), then
they can prove ownership of that URL by establishing
an SSL connection using the corresponding private key
for that certificate. Heck, the private key could
include the URL that the self-signed public certificate
is posted to, and the user wouldn't even need to supply
anything. Most modern browsers include a GUI for
selecting which private key to use that they present when
they come across an SSL enabled site that requires a client
certificate, and there are multiple to choose from.
The only piece I can see missing from the SSL puzzle is
a tool that makes it easy for people to create, sign
and publish X.509 certificates (there seems to be this
impression that certificates have to be issued by
trusted authorities, which they don't).
More information about the yadis