zerosum dirt(nap)

evolution through a series of accidents

zerosum dirt(nap)

OpenID + Client Certs = Win

February 22, 2008 by nap · Comments

I’m a big fan of OpenID. Or rather, I’m a big fan of what OpenID and data portability mean for the web at large in the coming white days. Single sign on and distributed identity is certainly an idea that’s been long overlooked and it’s time that we changed that. The next time you write a web application, ask yourself: “do my users really need yet another set of login credentials?”. Then implement OpenID. It’s really simple, especially in Rails. I gave a presentation on it at NHRuby last month (download PDF).

So, as gah-gah as I am over single sign on for ease of use, I’m a embarrassed to note that, like almost everyone else, I’ve completely overlooked client certificates for web-based authentication. By using client certificates you one-up single sign on by removing the need to use a login/password at all. This isn’t new; it’s something that’s been available in every web browser for pretty much as long as anyone can remember. And yet I’ve never, ever seen a site that supports them for an authentication mechanism. Sad faces abound.

But wait! OpenID to the rescue! It turns out that MyOpenID (and a host of other OpenID providers) DO make use of them. So if you create a client certificate with your OpenID provider, you can eliminate the need to use a login/pass with any OpenID client sites. Cheers to Dr Nic Williams for digging this up. Sometimes old (and ignored) is the new new. Rock on.

More details at Dr Nic’s blog.

blog comments powered by Disqus