So you either require the user to somehow sync a private key across multiple computers (Including phones and tablets) or the can't access the site with this method. Do you agree on the digest, method, sizes? Do you blacklist md5, sha1? Does everyone agree to this or can I go to one site which uses an insecure algorithm and theres the potential for information to be leaked, which affects my usage of that private key on other websites. Do I have a private key for each different website? Do I then need something to manage this for me, ala KeyPass or 1Password? How do I authenticate with KeyPass or 1Password, with a password? We're back to where we started.<p>I don't think PKI is the solution for this problem.<p>BrowserID is moving in the right direction, I can trust Google to have appropriate security for my personal information, but as we've seen time and time again sites like gawker, mtgox cannot be. It would be nice to see a service like BrowserID catch on and I'd be willing to pay for a vendor for the service if they provide full disclosure on their method storing of my data. So I know they aren't storing in plaintext, hashing with md5, encrypting the passwords etc.
I've been experimenting with something similar over the past couple of weeks, at the HTTP auth level (as that's my use case), although I don't have browser integration yet as I'm still working on interfacing to ssh-agent (also, insert standard lack-of-time excuse here).<p>I've been experimenting with SSL client certs for a while. They don't have a decent UX/UI in any browser I've used (redxaxder provides a link in another thread) and are a significant hurdle to general adoption. We could maybe see significant process in this area if some well known, popular site, like Facebook or gmail, supported SSL client certificate authentication.<p>We need to see more work in this area.
What we need is a public key authentication scheme with the possibility for normal users to delegate their identity to some trusted third party to which they hand their public key (like with OpenID). I think this would be the best of both worlds: normal users get a seamless experience, and nerds have total control over their identity without even needing to, say, own a domain name and trust DNS.