Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:16:33 -0700
From:      Doug Hardie <>
To:        CeDeROM <>
Cc:        " List" <>
Subject:   Re: Client Authentication
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 24 March 2013, at 01:03, CeDeROM <> wrote:

> Why don't you just use PKI for authentication (you can generate your
> own certificates)? You can easily upload keys/certificated to client
> machines (PC, Android, Apple, ...). That should work :-)

Thats exactly what I have been testing.  Its easy in concept, but there =
are issues in the details.  Once the certificate is loaded in a Mac and =
the password entered, its available for anyone to use thereafter.  You =
actually have to remove the certificate from the keychain to disable it. =
 Not a great approach for shared computers.  Most users will not know =
how to remove it properly.  I don't know about PCs yet though.  In =
addition there are possible issues with mail clients.  I have not tried =
them yet.  It all depends if they can handle p12 format certificates.  =
Pem format certificates must have the private key in plain format which =
renders them completely insecure.

Then there still is the issue about Safari (at least) not handling the =
no certificate case properly.

-- Doug

Want to link to this message? Use this URL: <>