so... I completely agree that shared secret authentication is a bad idea, and I use public key authentication wherever I can (password auth is disabled for ssh on every server I control; I do everything with ssh public keys.)
However, I've yet to set a public key authentication scheme that users would find acceptable for web applications. Do you really expect all users to setup x.509 auth in the browser?
What is your public key solution to authenticate the web-applications that customers demand?
However, I've yet to set a public key authentication scheme that users would find acceptable for web applications. Do you really expect all users to setup x.509 auth in the browser?
What is your public key solution to authenticate the web-applications that customers demand?