http://www.advogato.org/person/ppatters/ Advogato blog for ppatters en-us mod_virgule Sun, 19 May 2013 18:09:10 GMT Wed, 30 Sep 2009 19:50:53 GMT http://www.advogato.org/person/ppatters/diary.html?start=1 http://www.advogato.org/person/ppatters/diary.html?start=1 For a while now, my <a href="http://www.carillon.ca/" >PKI in Aerospace Consulting</a> company has been working on finding ways to make PKI more usable. From the "Relying Party" side of the equation, I think we're getting fairly close. Between some of the advances that others have made (such as Microsoft CAPI now doing Path Discovery and Validation mostly correctly), and our own work on writing an open source <a href="http://www.carillon.ca/tools/pathfinder.php" >Path Discovery and Validation Daemon</a> that can be used by programs like <a href="http://www.carillon.ca/tools/pf_apache2.php" >Apache</a> and <a href="http://www.carillon.ca/tools/pf_freeradius.php" >Free Radius</a>, I think there is very little reason why someone could not actually build a site and fully use certificates for authentication (especially with the <a href="http://www.carillon.ca/tools/apache_sslinfo.php" >certificate information patches</a> that we've just published for Apache).<br> <p> Now, the problems we're seeing are on the pure client side, such as in browsers, mail clients, VPN clients, or wireless clients in the open source world. The <b>nice</b> thing about the proprietary world of Microsoft and Apple is that they, for the most part, all use their platform certificate store (CAPI on Microsoft, and the KeyChain on Apple). In the open source world, certificates, keys and trust anchors can be just about anyplace. And, most annoyingly, even applications built by the same projects don't even use the same certificate stores (I'm looking at you, Firefox and Thunderbird, and you too KMail and Konqueror). So, consider this a call for someone (maybe the LSB folks) to come up with a full standard that everyone can adopt for both trust anchors and user keys/certificates, and then please, please, everyone use that¹. <p> [1] - Yes, I know WHY Firefox and Thunderbird have their own store: so that they don't have to implement per-platform solutions, thereby easing their FIPS validation. At the very least, they COULD implement a common certificate store used by both (and any other LibNSS-using application). At least then I wouldn't have to install all of my certificates twice. If the Mozilla folks wanted to really endear themselves to the community, they would also, once a single store is in place, at least give an install-time option for those that need it to use the system certificate stores, instead of the LibNSS specific store. Fri, 14 Mar 2003 22:01:18 GMT http://www.advogato.org/person/ppatters/diary.html?start=0 http://www.advogato.org/person/ppatters/diary.html?start=0 For some people, this won't make any sense... <p> Blogging is about to become VERY popular at Net Integration Technologies - that crazy place where I work (along with <a href="http://www.advogato.org/person/pphaneuf/" >pphaneuf</a> and <a href="http://www.advogato.org/person/apenwarr/" >apenwarr</a>). A bunch of us have been active in varying capacities around the Net for quite a while, with some being more active than others. <p> Now, in the hopes of garnering recognition for NITI (as we generally shorten it to), and the cool stuff we're working on, and of course the shameless plug of ourselves... we're hopping on the Blog bandwagon. We're already pretty open about giving stuff we do away (check out <a HREF="http://open.nit.ca" >http://open.nit.ca</a> sometime), but I guess we just need to talk about it more. <p> So, expect more noise (not sure whether it will be signal yet) out of us at the very least.