💾 Archived View for rawtext.club › ~sloum › geminilist › 001033.gmi captured on 2020-10-31 at 02:00:07. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Felix Queißner felix at masterq32.de
Sun May 24 22:16:05 BST 2020
- - - - - - - - - - - - - - - - - - -
Hey!
thoughts about client certificates
First of all: I really love the idea of client certificates, especiallyfor short-term session management it's a nice idea!
I wanted to write a much longer, more detailed answer with deeperinsight, but i don't think i'll find the time for that, so i just sharemy "main" concern/idea:
When i first read the idea of the persistent/long-term certificates, ididn't even come across the idea of using it for whitelisting.
My first thought was: Nice, this makes some really good identitiymanagement for web forums/shops/chats/...
It gives the client full control over their identity. I can use multipleclient certificates for the same site to manage different identities.
What i imagined in a client was this:https://i.imgur.com/Ayh2sVx.png
When a server requests use of a client certificate, you get to chose oneof many identities, maybe even share an identity between sites forcollaborating services.
You are always allowed to create new identities, destroy old ones.
</end-of-vision
It didn't occur to me that certificates require a lifetime to be chosenand now i'm thinking about how to solve this.
The "easy" way would be to create certificates with 150 year duration,and force the recovery strategies on the user. But as already discussed,this isn't practical and losing the certificate and/or key would requiresome kind of account recovery strategy.
E-Mail-Recovery is a usual strategy common in the webspace, but i'm nota huge fan of that. Another possibility would be that the server givesthe user a common secret that allows re-connection of a account to a newcertificate, but there's the same problem of the lost identity.
Regards- xq