I've been saying it to a lot of people for quite a while, but that's a very nice example: client certificates, OpenID, PGP, and a host of extremely-useful systems like those aren't hard because they're inherently hard. They're hard because their presentations are absolute crap.
Take OpenID for example. I've encountered a bajillion nay-sayers, "it's too complicated" this and "too many steps for the user" that. So what's "sign in with Facebook" if not a better presentation of the exact same idea? And how many people have no problem using it every day?
To have a security revolution, we need to have a security software revolution. The tech exists for the vast majority of problems, we just need to use it.
Agreed. Even server-side, the software is awful - setting up a root-CA-signed certificate chain with the OpenSSL command-line tools (and java's keytool) is an absolute nightmare. Apart from anything else, it's astonishingly difficult to tell when you've got it right, and by extension, it's astonishingly difficult to tell when you've got it subtly (or not so subtly) wrong. This has nothing to do with the principles at play, and everything to do with how the information is presented.
UI is just an implementation part. If the main point was to improve on the user interaction side, I missed it completely. Only things he provided were an idea roughly equivalent to the existing one and a shell script which needs to be run outside of the browser. It's hardly better than "pick one entry from the dialog box", however ugly that dialog box is.
No, the main point is to show how simple client verification actually is. This implementation is one step up on the application stack into a comfort zone which seems to be more acceptable by devs.
I believe in design in depth, and by allowing the most basic of techniques (form submission + cli tool stack) to handle something that is generally perceived as difficult and letting people "get" the manual process, the automation might not seem as daunting.
I did not intend to create a standard, just to provoke more discussion. I would however by gladly surprised if I woke up tomorrow and twitter allowed me to sign in by solving a challenge instead of a password : ).
Not so different in theory. This just displays how little fuzz client certification can be on a higher level which is more easily approachable by web developers.
http://www.gnegg.ch/2008/05/why-is-nobody-using-ssl-client-c...