[mooreds]

Are you talking about RFC 8705 ( https://www.rfc-editor.org/rfc/rfc8705.html )? I've researched this a bit and heard that deployment is problematic.

From a brief search, it looks like let's encrypt doesn't have great support for them ( https://community.letsencrypt.org/t/can-i-create-client-cert... ) so you are stuck setting up a private CA?

Have you set up client side certs? I'd love to hear your experience if so.

BTW, I'd defer implementing OAuth to a library or specialized piece of software (full disclosure: I work for a company providing this). There are a number of options, paid and open source out there.

[Avamander]

> Have you set up client side certs? I'd love to hear your experience if so.

Entire Estonia and a few other countries use them daily. For logging into banks, Craigslist-equivalents, online stores, service providers etc. etc.

[mooreds]

Thanks for the pointer. Here's an interesting article on using the Estonian client cert:

https://wandernauta.nl/2015/08/27/estonian-id-with-nginx-and...

[chrisshroba]

Interesting! Why does the distinction of a country matter here? I mean - why would using client side certs be something a country as a whole uses, as opposed to a certain type of company or something? Does it have to do with some sort of national firewalls or anti-encryption laws?

[LilBytes]

Estonia went electric everything for... Well. Almost everything.

https://en.m.wikipedia.org/wiki/Digital_signature_in_Estonia

https://e-estonia.com/solutions/e-identity/

[chrisshroba]

Cool! Thanks for the links.

[tarjei]

Some countries implement verified authentication schemes for their inhabitants that can be linked to both government and private services.

I.e. you have one login to use when filing taxes, getting health data, social security, interacting with your local school etc.

[Avamander]

It has to do with widespread deployment and a central trust authority - that the specific citizen holding the specific citizen's cert. Service providers don't have to deal with the massive pain that is identity verification, there's no cumbersome stuff like faxing someone a gas bill to prove their identity.

[bebop]

In my opinion, client certificates are great, you can let existing crypto infrastructure deal with the problem of "who is this user?".

The biggest problem is around revocation. You need to have some central revocation list and make sure that all of the users of your PKI are keeping that list up-to-date in production, which can be difficult if you do not plan for that from the start.