Can we talk about client-side certificates?

I&#x27;ve been learning oauth at work and started implementing openid using keycloak.<p>Now I&#x27;m in the process of setting in a private CA with vault from hascicorp.<p>What ddevault is proposing is basically oauth implemented in terms of TLS and certificate autorities.<p>It&#x27;s not bad as an idea, per se.<p>The problem is, as far as I see, that x509 and TLS pull into the discourse a lot of hard topics. You pull in x509 and you also pull in the whole ITU&#x2F;X.500 thing. Have fun with that.<p>Just these days I was thinking that I&#x27;m having a hard time finding certificate authorities explained in terms of actors and interactions, instead of cryptography.<p>Oauth&#x2F;oidc instead is just that: authorization delegation. It starts and ends with those RFC&#x2F;specs.<p>It helps a lot to know that all you need to know is contained in that finite number of documents.

Agree 100%. I&#x27;ve thought this is the right way to do web SSO for as long as there has been a web.<p>OpenId connect &amp; Oauth are privacy disasters. Before the advent of the internet customer lists (aka goodwill) was considerd ultra proprietary information that a company had.<p>Now this data is essentially given away to the big four or five internet companies. Meanwhile, government is as useless as ever, content to fight their culture battles as if nothing else mattered. Bad juju.

The Debian experience with this is that browsers have terrible client cert UX and are actively making that worse.<p><a href="https:&#x2F;&#x2F;lists.sr.ht&#x2F;~sircmpwn&#x2F;public-inbox&#x2F;%3Cf7599ba5de4864a28293a53a1b9e4305e7c568d0.camel%40bonedaddy.net%3E" rel="nofollow">https:&#x2F;&#x2F;lists.sr.ht&#x2F;~sircmpwn&#x2F;public-inbox&#x2F;%3Cf7599ba5de4864...</a>

We implemented a CA&#x2F;client-cert based authentication, and decided to not do it again.<p>- Users are used to just getting public&#x2F;private API keys, and it&#x27;s often common knowledge how to store the private key securely.<p>- Tooling is surprisingly scarce. Not all API testing tools support client certificates, and users didnt want to do the openssl dance.<p>- Users kept forgetting the certification expiration date. We had to remind them to do the openssl dance again every 3 months.<p>- for the server side, unit testing was a bit complicated because the TLS implementation was supposed to be a separate later from the actual application.