Client certificate musings

[Felix Queißner]

Hey!

> thoughts about client certificates

First of all: I really love the idea of client certificates, especially
for short-term session management it's a nice idea!

I wanted to write a much longer, more detailed answer with deeper
insight, but i don't think i'll find the time for that, so i just share
my "main" concern/idea:

When i first read the idea of the persistent/long-term certificates, i
didn't even come across the idea of using it for whitelisting.

My first thought was: Nice, this makes some really good identitiy
management for web forums/shops/chats/...

It gives the client full control over their identity. I can use multiple
client certificates for the same site to manage different identities.

What i imagined in a client was this:
https://i.imgur.com/Ayh2sVx.png

When a server requests use of a client certificate, you get to chose one
of many identities, maybe even share an identity between sites for
collaborating services.

You are always allowed to create new identities, destroy old ones.

</end-of-vision>

It didn't occur to me that certificates require a lifetime to be chosen
and now i'm thinking about how to solve this.

The "easy" way would be to create certificates with 150 year duration,
and force the recovery strategies on the user. But as already discussed,
this isn't practical and losing the certificate and/or key would require
some kind of account recovery strategy.

E-Mail-Recovery is a usual strategy common in the webspace, but i'm not
a huge fan of that. Another possibility would be that the server gives
the user a common secret that allows re-connection of a account to a new
certificate, but there's the same problem of the lost identity.

Regards
- xq