For a while now, my PKI in Aerospace
Consulting company has been working on finding ways to
make PKI more usable. From the "Relying Party" side of the
equation, I think we're getting fairly close. Between some
of the advances that others have made (such as Microsoft
CAPI now doing Path Discovery and Validation mostly
correctly), and our own work on writing an open source Path
Discovery and Validation Daemon that can be used by
programs like Apache and
Free
Radius, I think there is very little reason why
someone could not actually build a site and fully use
certificates for authentication (especially with the certificate
information patches that we've just published for
Apache).
Now, the problems we're seeing are on the pure client side, such as in browsers, mail clients, VPN clients, or wireless clients in the open source world. The nice thing about the proprietary world of Microsoft and Apple is that they, for the most part, all use their platform certificate store (CAPI on Microsoft, and the KeyChain on Apple). In the open source world, certificates, keys and trust anchors can be just about anyplace. And, most annoyingly, even applications built by the same projects don't even use the same certificate stores (I'm looking at you, Firefox and Thunderbird, and you too KMail and Konqueror). So, consider this a call for someone (maybe the LSB folks) to come up with a full standard that everyone can adopt for both trust anchors and user keys/certificates, and then please, please, everyone use that1.
[1] - Yes, I know WHY Firefox and Thunderbird have their own store: so that they don't have to implement per-platform solutions, thereby easing their FIPS validation. At the very least, they COULD implement a common certificate store used by both (and any other LibNSS-using application). At least then I wouldn't have to install all of my certificates twice. If the Mozilla folks wanted to really endear themselves to the community, they would also, once a single store is in place, at least give an install-time option for those that need it to use the system certificate stores, instead of the LibNSS specific store.