Ben Laurie blathering

Experimenting With Client Certificates

I was recently contacted about yet another attempt to use client certificates for authentication. As anyone paying attention knows, this has some attractions but is pretty much unusable in browsers because of their diabolical UIs. So, I was fascinated to learn that this particular demo completely avoids that issue by implementing TLS entirely in Javascript! This strikes me as a hugely promising approach: now we have complete freedom to experiment with UI, whilst the server side can continue to use off-the-shelf software and standard configurations.

Once UI has been found that works well, I would hope that it would migrate to be part of the browser, it seems pretty clear that doing this on the webpage is not likely to lead to a secure solution in the long run. But in the meantime, anyone can have a crack at their own UI, and all they need is Javascript (OK, for non-coders that might sound like a problem, but believe me, the learning curve is way shallower than any browser I’ve played with).

Anway, pretty much end-of-message, except for some pointers.

I am very interested in finding competent JS/UI people who would be interested in banging harder on this problem – I can do all the crypto stuff, but I confess UI is not my forte! Anyone out there?

Note, by the way, that the focus on browsers as the “home of authentication” is also a barrier to change – applications also need to authenticate. This is why “zero install” solutions that rely on browsers (e.g. OpenID) are likely doomed to ultimate failure – by the time you’ve built all that into an application (which is obviously not “zero install”), you might as well have just switched it to using TLS and a client certificate…


  1. Nice – I can kind of see how this could replace the OS anchored moving parts of an identity metasystem (e.g. CardSpace/Higgins) and provide something more portable.

    Sadly the demo seems to need more than just JavaScript. For those of us running the Flash Blocker extension in Chrome it’s clunky (and for me it ultimately fails, though it’s not clear why). The whole thing does seem to be pointed in the right direction though.

    Comment by Chris Swan — 14 Sep 2010 @ 19:06

  2. Yes, it does use Flash, but only for local storage, I am told. It could use HTML5 local storage, where supported, and I believe they’re making that change.

    Comment by Ben — 26 Sep 2010 @ 3:00

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress