30 Sep 2009 ppatters   » (Master)

For a while now, my PKI in Aerospace Consulting company has been working on finding ways to make PKI more usable. From the "Relying Party" side of the equation, I think we're getting fairly close. Between some of the advances that others have made (such as Microsoft CAPI now doing Path Discovery and Validation mostly correctly), and our own work on writing an open source Path Discovery and Validation Daemon that can be used by programs like Apache and Free Radius, I think there is very little reason why someone could not actually build a site and fully use certificates for authentication (especially with the certificate information patches that we've just published for Apache).

Now, the problems we're seeing are on the pure client side, such as in browsers, mail clients, VPN clients, or wireless clients in the open source world. The nice thing about the proprietary world of Microsoft and Apple is that they, for the most part, all use their platform certificate store (CAPI on Microsoft, and the KeyChain on Apple). In the open source world, certificates, keys and trust anchors can be just about anyplace. And, most annoyingly, even applications built by the same projects don't even use the same certificate stores (I'm looking at you, Firefox and Thunderbird, and you too KMail and Konqueror). So, consider this a call for someone (maybe the LSB folks) to come up with a full standard that everyone can adopt for both trust anchors and user keys/certificates, and then please, please, everyone use that1.

[1] - Yes, I know WHY Firefox and Thunderbird have their own store: so that they don't have to implement per-platform solutions, thereby easing their FIPS validation. At the very least, they COULD implement a common certificate store used by both (and any other LibNSS-using application). At least then I wouldn't have to install all of my certificates twice. If the Mozilla folks wanted to really endear themselves to the community, they would also, once a single store is in place, at least give an install-time option for those that need it to use the system certificate stores, instead of the LibNSS specific store.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!