Tag Archives: client certs

Finally: Create a Client Certificate in the Browser

Since Google and Mozilla have removed the <keygen> element we use from the HTML standard and from their browsers, we have endeavoured to provide a valid replacement so that client certificates can once again be created so easily that even my grandmother could do it.

Finding a solution was not easy; other CAs were also sweating bullets here. The solution that we have been offering for some time now was initially somewhat hidden, but has since been prominently linked as the seventh service on our community portal community.cacert.org.

Both the new solution and the community portal are the result of the tireless work of a small group of volunteers. As a small thank you, you can make their work easier by not having to worry about CAcert’s operating costs. Donation account CAcert: IBAN CH02 0077 4010 3947 4420 0 or with bank or credit card.

WordPress Client Certificate Authentication

Client Certificate Authentication is possible for the CAcert Blog for some time. Now, the code was put into an own plugin and published to the wordpress plugin directory. You can also install the plugin directly from your wordpress admin interface to use it in your own blog.

Acknowledgements: This plugin is based on the HTTP Authentication plugin by Daniel Westermann-Clark. Ideas taken from Dan B.’s implementation for client certificate authentication.

Client Certs are the future…

One of the things I recently discovered (to my surprise) is that client certs used in browsers are out of scope for browser policy purposes. This is because *the server* is the relying party, and there is no decision of reliance to make in the browser. So the vendor doesn’t care.

And, as we know, for the most part servers require a fair bit of config to get up and going … so even a decision to distro the root of one player or another isn’t so important.

The playing field is more or less level. What’s perhaps more controversial is this claim: client certs deliver more bang-for-buck in real security benefits than any other use of certs.

Which means that our idea of using client certs every where (CATS.cacert.org originally, but now webmail, archives, and this very blog!) is also a good strategic direction. We can deliver!

Therefore, Apache tutorials like this one by Dan are much more important. Download it today! Put it into practice on your website! Not to mention, that client certs delivers lots of administration benefits in easing our management of sites, as I muse on over at my blog. Have you noticed how there are no complaints about lost passwords over at CATS.cacert.org? No more comment spam on this blog [1]?

Say No to Spam!

What I would like to see is a list of systems where CAcert certs are now in definite use. Production. Benefits! This would include CATS in pole position, also the blog, the webmail, the mail archives. Also possibly that OpenID server (is that run by Assurers? I assume so… I’m not even sure where it is).

[1] OK, it seems that only a very few long suffering admins could even see it. So you probably can’t see it, … and can’t imagine the joy of not having to deal with it ever again ­čÖé I checked last night, there is a tiny bit of trackback spam, which I can’t quite see how to deal with, but nobody cares about trackback these days…