Reply to post: OpenSSL

No password? No worries! Two new standards aim to make logins an API experience

Anonymous Coward
Anonymous Coward


Did you know that the certificates created (and managed) by OpenSSL are merely sets of public/private keys? And that your certificate signature request is basically nothing more than a public key which gets signed by another party? And most of all: that the signature defines the trust in the eventual certificate?

Why I'm telling you all this? Simple: because this can be a very feasible form of authentication as well. Heck, I'm using this with my (hobby based!) VPN (powered by OpenVPN). Basically I have my own private CA which is trusted by several computers (FreeBSD, Windows and Linux alike), that signs off the allowed certificates for VPN use and those clients merely have to use this certificate.

Or what to think about SSH? I'm not using a mere password for that, I'm using public key authentication. So: my public key resides in ~/.ssh/authorized_keys and my private key is just that: private and used to authenticate myself. The only password I use is one to keep my private key safe.

Why can't we have this instead? You could even automate the certificate creation part and there would be no need for any centralized user tracking center.

My (cynical) take on all this? Revenue. Of course they won't use certificates because too many companies have financial stakes in those. It's much more beneficial to sell us that crap than to confess that it could easily be used in a different (and cheaper) manner. Money makes the world go round,eh?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021