[sugar] ssl authentication [was (another) WebKit port of Browse]
Ivan Krstić
krstic at solarsail.hcs.harvard.edu
Tue Jul 8 17:01:51 EDT 2008
On Jul 8, 2008, at 2:46 PM, Carol Lerche wrote:
> I am puzzled about the PKI infrastructure you envision. I envision
> having a
> private certificate authority that runs on the teacher's XO and
> keeps its
> keystore on a USB thumb drive.
To summarize for those who haven't heard me rant about this in person:
actual PKI is almost never the answer. It is a question, and the
answer is "hell, no."
While you may believe the setup you have in mind is easy and
uncomplicated, the odds are *overwhelmingly*, **super-stunningly**
stacked against you to make PKI work the way you want in production.
The fact that TLS client certs, in particular, have zero commercial
end-user deployment uptake, should tell you something.
I cannot recommend more strongly to stay the bloody hell away from the
entire real PKI/X.509/CAs morass. A solution based on e.g. SSH and key
continuity is, while certainly less traditional, enormously likely to
work out better in practice.
--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the Sugar
mailing list