Re^3: OpenID alternatives, what do you suggest

Firefox and Opera both support client keys for SSL and TLS. I'm sure they are not the only browsers to do so, but I don't want to check all 9 other browsers on my desktops right now.

For email, Thunderbird and mutt support client keys. There's also built-in support for PGP/GPG in mutt to encrypt the email itself. I'm sure there are plugins for Thunderbird to do that if it doesn't already. Many servers can be configured to use TLS-encrypted sessions for MTA to MTA communications when available at the other endpoint.

It's typically considered the MTA's job to deliver the mail first and to concern itself with security second, which is an attitude that needs to change before any of this improves. It does little good to have SSL or TLS sending and receiving if the mail routing in the middle is in plaintext. Encrypting and signing the message at the endpoints with PGP/GPG and sending it through clear channels should offer whole-path protection up to the point where they are easily borken. AFAIK, it still takes quite some time to break a 2048-bit key for GPG.

Comment on Re^3: OpenID alternatives, what do you suggest

Replies are listed 'Best First'.
Re^4: OpenID alternatives, what do you suggest by zentara (Cardinal) on Sep 25, 2008 at 16:02 UTC
Here is a nice article on setting up an htaccess based client ssl certificate system. client ssl certs Now I have something to play with this afternoon. :-) It appears to be in line with your desire for different keys for each site, and is generated by the site and the access key is given to the client. I guess the weakness here is how you get the key to the client? It would have to be delivered personally to them, but in an office setting that would be easy. My envisioned model is slightly different, with a common public key that you use for all sites, that the server admin would retreive from a public server. Anyways, this look cool, I hope I can get it working. I'm not really a human, but I play one on earth Remember How Lucky You Are	[reply]
Re^5: OpenID alternatives, what do you suggest by mr_mischief (Monsignor) on Sep 25, 2008 at 16:09 UTC
It is also possible to generate a key pair, store your private key and public key in your browser, and send your public key to the server. The bigger-named browsers mostly allow you to import the keys, but not to generate them. Setting up the system on the server is left as an exercise. ;-) If you're dealing with shared secret encryption or distributing a private key, the trick to getting the secret key to the intended party is to do so out of band or to transfer it along a channel already secured by some other encryption.	[reply]