Seriously, why the hell are we still using username/password when browsers have supported requesting client certificates for years now.
Literally just learned today that it's an API that's supported in all the major browsers already. Maybe because it's at the TLS/Server-side layer instead of inside client-side JS or the HTTP layer?
Only downside is now I need to add this functionality to Agregore. :P
HA! Of course it doesn't work on Linux. :)
Doesn't seem to work on Android either. :)
one more thing on this topic, what's cool is that of this is pretty much how the #gemini protocol handles authentication.
it happens at the tls level and means there's less stuff that you need to do to authenticate a session and manage credentials.
@mauve IIRC (it's been ages since i was playing with this) it's even possible to set up client cert auth with "old fashioned" apache server stuff. i'm pretty sure i succeeded at getting it working with a .htaccess in a shared webhosting type environment, even without a custom domain
@mauve Nooo, don't even bother with the horrid client certificate stuff. The browsers first created the most hateful UI for those things, and THEN killed it. It's dead, just let it be.
@dmitri I'll mourn for the world that never was. 😭
@mauve Omg, seriously. Back in 2016, when browsers started pulling support for generating client certs, I basically spent a year creating a new cross-domain authn system for the Solid Project (it relied solely on client certs before that).
But I still think about the kind of awesome world we could have had, had the vendors supported client certs properly. Just boggles the mind.
Answer: Because OS vendors did not want to make certs & keys first-class objects that are highly visible to users (and manageable by them).
TBH, I'm not sure if that would be better or worse than using password managers.
@tasket I think one thing that is different from password managers in this scenario is that you can use your key instead of an email+password combo and could potentially reuse credentials more easily. also has an obvious path for hardware keys
@tasket also in general it's just more "standard", but I guess password managers are getting integrated at the operating system level now to so they're just as standard 🤷
@mauve PassKeys in a way evolved from this.
@mauve if you implement it with a UI button to switch/disable the chosen client certificate, you'll have surpassed every other browser to date.
(I kinda wish FOAF+SSL had caught on, it was a clever notion.)
@tangent128 Yeah I think the only tradeoff is that I'm aiming to remove the need for servers at all and the other browswrs pretty much dropped suppport for the function. 😭
might be good to find an equivalent for key management though
Here's an example server: https://github.com/julie-ng/nodejs-certificate-auth/blob/master/server/server.js