[Owasp-ireland] client-side ssl certs?

John Marmelstein john.marmelstein at gmail.com
Thu Aug 11 12:04:48 EDT 2011


Hi Folks,
How is everyone? It’s been a bit quiet!

Anyway, might anyone have thoughts or experience on client-side ssl certs?

I am making a web app. I need some form of user authentication. I’m
thinking I need to go a bit better than just having username/password
for access control. What options are out there? It's for a
public-sector thing. My hesitation with username/password access
control is that the credentials might just get passed around.

I guess that client-side certs are the answer. But, there will be
about 2000 users. These are low-tech users, distributed  around
Ireland. On their personal (ie not standardized) browsers/operating
systems. So I can’t call around to them all doing the certificate
installs. I’m not optimistic about asking this user population to do
it themselves.

Any opinions ?
Maybe it boils down to saying that I either have to
use username/password
or, accept the large effort of generating, installing and managing the certs?
Is there a good way to generate, install and manage certs?

Thanks!
JM


-- 
John Marmelstein
087 136 0045


More information about the Owasp-ireland mailing list