
Can we talk about client-side certificates? - freddyym
https://drewdevault.com/tls/security/oauth/2020/06/12/Can-we-talk-about-client-side-certs.html
======
znpy
I've been learning oauth at work and started implementing openid using
keycloak.

Now I'm in the process of setting in a private CA with vault from hascicorp.

What ddevault is proposing is basically oauth implemented in terms of TLS and
certificate autorities.

It's not bad as an idea, per se.

The problem is, as far as I see, that x509 and TLS pull into the discourse a
lot of hard topics. You pull in x509 and you also pull in the whole ITU/X.500
thing. Have fun with that.

Just these days I was thinking that I'm having a hard time finding certificate
authorities explained in terms of actors and interactions, instead of
cryptography.

Oauth/oidc instead is just that: authorization delegation. It starts and ends
with those RFC/specs.

It helps a lot to know that all you need to know is contained in that finite
number of documents.

------
grizzles
Agree 100%. I've thought this is the right way to do web SSO for as long as
there has been a web.

OpenId connect & Oauth are privacy disasters. Before the advent of the
internet customer lists (aka goodwill) was considerd ultra proprietary
information that a company had.

Now this data is essentially given away to the big four or five internet
companies. Meanwhile, government is as useless as ever, content to fight their
culture battles as if nothing else mattered. Bad juju.

------
pabs3
The Debian experience with this is that browsers have terrible client cert UX
and are actively making that worse.

[https://lists.sr.ht/~sircmpwn/public-
inbox/%3Cf7599ba5de4864...](https://lists.sr.ht/~sircmpwn/public-
inbox/%3Cf7599ba5de4864a28293a53a1b9e4305e7c568d0.camel%40bonedaddy.net%3E)

------
Ayesh
We implemented a CA/client-cert based authentication, and decided to not do it
again.

\- Users are used to just getting public/private API keys, and it's often
common knowledge how to store the private key securely.

\- Tooling is surprisingly scarce. Not all API testing tools support client
certificates, and users didnt want to do the openssl dance.

\- Users kept forgetting the certification expiration date. We had to remind
them to do the openssl dance again every 3 months.

\- for the server side, unit testing was a bit complicated because the TLS
implementation was supposed to be a separate later from the actual
application.

