Re: Personal Security Certificate
> Just wait until all the whining brings the advent of the "Personal Security Certificate"
I have the impression you may know this already, but HTTPS does allow client authentication, and it is not infrequently used, e.g., in banking, government services, intranets, APIs, etc.
It is in fact very common in Baltic countries, but not only. I have two government issued X.509 certificates from countries where I used to live that were used in exactly the way you describe (the physical tokens double as ID cards). It works OK for those limited cases where authentication really is necessary, such as filing taxes or requesting personal records, or banking, but one needs to remember to pull the card out of the reader as soon as one is finished (also, configuring your browser to ask you every time which certificate to present) as otherwise nothing prevents https://allyourdataarebelongto.us from sucking that information as soon as you navigate to their site to check the latest cat pictures.