[u801e]

> Wait for the email to arrive and follow the retrieval process to get the certificate

Is there a reason why the server couldn't send the certificate back to the browser via HTTPS?

> You then need a non-trivial amount of work to export the private key and certificate and install it on all of your devices,

Would it not be better to just use a different key for each device? That is, repeat steps 1 and 2 for every device you plan to use?

> Every time you visit a site or send an email, you now have to select which key you want to use.

Could the browser remember which website the client certificate was used for? If so, then the user won't have to make the selection more than once.

> Every year, repeat the process starting at step 1.

Outside of a device getting compromised, is there a good reason for updating certificates more often than once every 5 years?

> It'd be really nice to have a LetsEncrypt-style effort to remove the warts from this process so it's approachable for normal people without a heavy support pool.

I'm still doing more research on this, but what did the <keygen> HTML element lack that the process used by Let's Encrypt provide?

> This is another area where I wish Mozilla hadn't prematurely killed Persona as it'd be really nice if there was a service which would allow you to associate different client certificates with a single user identity so private keys never needed to leave the device

Shouldn't the private key be something that's associated with the browser? That is, when you install the browser, a private key is generated and used for all certificate signing requests. I think the process could be extended to add additional browser instances for a given account on a website. For example, you could take the CSR from the other device and use your first device to send it to the server, get the certficate and then copy it back to your other device.

[stephenr]

A number of the undesirable factors described here (email, 12 month limit) are because that process isnt generating a client certificate for use on a private site, it's generating an S/MIME cert for handling encrypted/signed email.

[u801e]

I guess I'm not clear on the current process. If we had a process as shown below, I think it would be much easier to get people to adopt client certs.

1. Click on link to sign up for new account on news.ycombinator.com

2. Enter information for the account including a CSR that your browser generates for you

3. Submit the information to the server

4. Server servers another page that confirms account creation and includes the certificate

5. The browser provides a way to import that certificate to a client certificate store it maintains

6. Next time you visit the website, your browser knows to use that client certificate

Registering other browsers would require sending the CSR via the first registered browser and copying the certificate that the server returns to the second browser.

Of course, this would be for websites that don't have a need to verify your identity (like reddit or Hacker News). For banks, or credit cards, there would have to be a way to verify the identity of the person signing up for an account.

[acdha]

> > Wait for the email to arrive and follow the retrieval process to get the certificate

> Is there a reason why the server couldn't send the certificate back to the browser via HTTPS?

The public implementations are generally trying to verify current ownership of the specified email address. That's part of why I wish this could be linked to a third-party which already does that so users don't have to repeat the process as often.

> > You then need a non-trivial amount of work to export the private key and certificate and install it on all of your devices,

> Would it not be better to just use a different key for each device? That is, repeat steps 1 and 2 for every device you plan to use?

It would, but currently you can't do this if you use Google Chrome or Microsoft Edge. Again, remember that I'm talking about the practical impediments doing this now rather than any sort of conceptual problem: if the industry cared this could improve a lot very quickly.

>> Every year, repeat the process starting at step 1.

> Outside of a device getting compromised, is there a good reason for updating certificates more often than once every 5 years?

The general idea is that it protects against unknown, non-permanent mistakes but I think the main point here is that key rotation should be automated so it can happen simply since it reduces the window of problems for any mistakes considerably. I'd expect a modern implementation to have a tiered approach where e.g. keys generated on a secure enclave, token, etc. are trusted longer than ones where user error makes it possible to get access to the private key.

> > It'd be really nice to have a LetsEncrypt-style effort to remove the warts from this process so it's approachable for normal people without a heavy support pool.

> I'm still doing more research on this, but what did the <keygen> HTML element lack that the process used by Let's Encrypt provide?

It's been awhile since I looked at the discussions but I believe it was basically another case of an early feature chucked in in the 90s having a bunch of dubious design decisions which people didn't want to support for since it was rarely used. I'd be happy with it going away or substantially changing if there was a modern JavaScript API.

> > This is another area where I wish Mozilla hadn't prematurely killed Persona as it'd be really nice if there was a service which would allow you to associate different client certificates with a single user identity so private keys never needed to leave the device

> Shouldn't the private key be something that's associated with the browser? That is, when you install the browser, a private key is generated and used for all certificate signing requests.

I was referring to the two related concepts here: I like the model where each browser manages a private key (preferably stored in secure hardware) but you also need to handle the question which keys are allowed to sign responses for a specific person. Consider e.g. all of the sites which trust Google or Facebook to authenticate users and imagine what it'd be like if that could be extended so you could ask that trusted third-party which keys correspond to a verified email address. Having it be something which is commonly used would also be a great place for rotation if there was a seamless way to repeat the signing process every n days rather than a user having to do it the first time they access a site a year after the last time they renewed, when they may have forgotten a lot of the steps.

That last point underscores how much of this has nothing to do with PKI and everything to do with horrible UI: the failure mode for not having a valid certificate is generally horrible — looping selection dialogs, low-level TLS failure messages with no indication of what you can do to fix things, etc.

[u801e]

> The public implementations are generally trying to verify current ownership of the specified email address.

Are there any implementations that don't? For example, when I create an account on news.ycombinator.com, does it really need to verify my email address, rather than using a signed message sent via HTTPS during the sign up process?

> Consider e.g. all of the sites which trust Google or Facebook to authenticate users and imagine what it'd be like if that could be extended so you could ask that trusted third-party which keys correspond to a verified email address.

Perhaps we need to rethink using email for verification. For server side authentication, we have certificate authorities to handle verification of a given server's identity. In your example, Google or Facebook (or both) could serve as certificate authorities for the client certificate used for a given website.

Again, I would say that most websites do not (or should not) need my email address in order for me to sign up for an account. My web browser should be able to manage verifying my identity with a website as well as adding other trusted web browsers.

> That last point underscores how much of this has nothing to do with PKI and everything to do with horrible UI: the failure mode for not having a valid certificate is generally horrible

Unfortunately, that is very true. It would be nice if some serious effort could be directed to improve the process. I think that if we were using certificate authentication, as opposed to password based, it would be much harder for people's accounts to be compromised, even through "social engineering".