OpenID vs SSL/TLS client certificates

[Richard 'toast' Russo]

--- Daniel Patterson <danpat at danpat.net> wrote:

> Hello all,
> 
>    Can someone explain the advantages of OpenID over using
>    something like X.509 client certificates?  Perhaps I'm
>    not understanding the implications of OpenID, but I'm
>    not quite seeing what new thing it does.
> 
>    Given that there is a massive deployment of SSL-capable
>    clients (including non AJAX clients), wouldn't it make
>    more sense to push that technology (assuming that OpenID
>    can't do extra magic, please, correct me if I'm wrong)?
> 
>    If a user publishes an X.509 self-signed certificate at a
>    URL controlled by them, and asserts that URL as their
>    ID (i.e. very similar to what OpenID is doing), then
>    they can prove ownership of that URL by establishing
>    an SSL connection using the corresponding private key
>    for that certificate.  Heck, the private key could
>    include the URL that the self-signed public certificate
>    is posted to, and the user wouldn't even need to supply
>    anything. Most modern browsers include a GUI for
>    selecting which private key to use that they present when
>    they come across an SSL enabled site that requires a client
>    certificate, and there are multiple to choose from.
> 
>    The only piece I can see missing from the SSL puzzle is
>    a tool that makes it easy for people to create, sign
>    and publish X.509 certificates (there seems to be this
>    impression that certificates have to be issued by
>    trusted authorities, which they don't).
> 
> daniel
> 
> 
This is the primary piece that's missing.  X.509 certs have been
around for ages, but nobody has created something that's easy to use
as an end user, identity issuer, and identity consumer.  Also, SSL is
out of reach for many small sites.

OpenID is pretty darn easy for an end user, not too bad for an
identity consumer, and not that hard for identity issuers either.