|
|
|
|
|
|
by HorstG
2378 days ago
|
|
|
Certificate auth for http with TLS and Kerberos auth for http is specified, supported by all (major desktop) browsers. However: The UX on the browser side is shitty as hell. Certificates display weird nagscreens, without being able to specify proper defaults like "use this cert for that site and don't bother me again". Certificate enrollment has been broken (not that the form element was ever great) by all major browsers, to be replaced by "do something in Javascript maybe, if we get around to implementing a new API some time". Oh, and no logout... Kerberos needs a parameter at browser start or an about:config setting, is incompatible with using multiple TGTs let alone automatically selecting the right one or gasp getting a new TGT for the user from the proper KDC. The only thing that kinda works mostly is using the standard company login TGT. Oh, and logging out doesn't work... Oh, and of course most mobile systems are broken or just unsupported. The sorry state of browser auth is 100% on browser vendors dragging their feet on those problems that have been known for around 20 years or so. And no, webauth won't save us, it'll just be another shitshow most likely. |
|
|
I always felt like one of the UX blockers for key exchange was the assumption that people couldn't be expected to learn the basics, because it's too complicated.
And every attempt to ignore or hide it has just made the entire thing more complicated or confusing.
You can shoot yourself in the foot with a gun or crash your car into a wall, and yet most people manage not to do so on a daily basis.
Sometimes simplicity is a false virtue.