gemini - transjovian.org

Problem:

Users need an “identity”, a client certificate, for a service. They create one, picking an expiration date a year or two in the future, and then they use the service. When the certificate expires, they lose access to their account.

Username and Password establish identity

This solution reproduces the kind of user experience we already know: using a client certificate, create an account with a username and a password. Use this username and password with a different identity, possibly on a different account, and you have access to the same account.

In this setup, the client certificate is used to establish a session, but the identity is established using the username and password. This works well if the services uses usernames in the user interface.

Example: a service where I create an account and you can @mention my username in a message.

Username and Password to link identities

In this setup, the client certificate is used to establish a session and an identity, other client certificates are linked to the first one using username and password.

Depending on the service the account creation might be required even if no identities need to be linked. If users can name themselves or get assigned a generated name, the account creation can be deferred.

Temporary passwords to link identities

This solution is based on the solution above and recognises that usernames are not needed: using a client certificate, generate a temporary password valid for a few minutes. Use this password with a different identity, possibly on a different account, and you establish the equivalence of the two client certificates.

In this setup, the client certificate is used to establish a session and an identity, other client certificates are linked to the first one in the few minutes the temporary password is valid. The temporary password expires after a few minutes and doesn’t have to be stored.

If users need a name, they either name themselves or get assigned a generated name.