[sugar] ssl authentication [was (another) WebKit port of Browse]

[Ivan Krstić]

On Jul 8, 2008, at 2:46 PM, Carol Lerche wrote:
> I am puzzled about the PKI infrastructure you envision.  I envision  
> having a
> private certificate authority that runs on the teacher's XO and  
> keeps its
> keystore on a USB thumb drive.

To summarize for those who haven't heard me rant about this in person:  
actual PKI is almost never the answer. It is a question, and the  
answer is "hell, no."

While you may believe the setup you have in mind is easy and  
uncomplicated, the odds are *overwhelmingly*, **super-stunningly**  
stacked against you to make PKI work the way you want in production.  
The fact that TLS client certs, in particular, have zero commercial  
end-user deployment uptake, should tell you something.

I cannot recommend more strongly to stay the bloody hell away from the  
entire real PKI/X.509/CAs morass. A solution based on e.g. SSH and key  
continuity is, while certainly less traditional, enormously likely to  
work out better in practice.

--
Ivan Krsti? <krstic at solarsail.hcs.harvard.edu> | http://radian.org