Special Request: Client Certificates vs. OpenID

Alaric Dailey alaricdailey at hotmail.com
Mon Jan 22 19:02:06 UTC 2007

Client certificates could easily be used to extend openID, and since (last
time I checked) the authentication process was entirely up to the IdP, a
client certificate based IdP should be open to be created. 

Most CAs have created a problem because they only allow a user to use their
certs (mostly because CAs don't all follow the same persona verification
standards, and to a lesser degree politics). Now, over at StartCom, Eddy has
created a system where users are allowed to register any certificate they
like to login, very much like the USPS has done for the "Electronic Post

> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of McGovern, 
> James F (HTSC, IT)
> Sent: Monday, January 22, 2007 11:08 AM
> To: specs at openid.net
> Subject: Special Request: Client Certificates vs. OpenID
> Last week I sent a note to the list inquiring whether anyone 
> on this list wanted to participate in our industry vertical 
> standards body in hopes of ratifying OpenID as an endorsed 
> horizontal specification. In terms of preparation, it would 
> be greatly appreciated if Dick Hardt, Johannes Ernst and 
> other bloggers could from their blog discuss user-centric 
> identity as a potential solution to industry vertical 
> concerns since nothing neutral (produced by a vendor and not 
> an insurance carrier) exists in this regard.
> Other industry verticals such as Pharmaceutical have embraced 
> PKI approaches where they issue client certificates to 
> participants. Many PKI vendors have in secret created user 
> certificate management issues, the inability to allow for 
> roaming users, sharing of desktops, and other concerns that I 
> am of the belief that user-centric approaches could handle. 
> Of course PKI-centric and user-centric don't have to be 
> mutually exclusive but it would be wonderful if the blog 
> entry reflected how approaches such as SAFE (pharma) would 
> have looked in a user-centric world.

More information about the specs mailing list