| 1 |
>> You can use apache client authentication with SSL certificates only. Of |
| 2 |
>> course you will need to create a self-signed CA, which you will use to create |
| 3 |
>> the web server public/private key pair and also sign each client's certificate |
| 4 |
>> and upload it along with your CA certificate to the user's browser. This |
| 5 |
>> explains the principle: |
| 6 |
>> |
| 7 |
> Now, a solution a more traditional desktop is to use an SSL key stored |
| 8 |
> on a smartcard, which I'm sure Diego has blogged about on |
| 9 |
> planet.gentoo.org as he is into those. That has all the advantage of |
| 10 |
> the TPM as far as key security goes. However, you're still vulnerable |
| 11 |
> to xss and keyloggers and such. |
| 12 |
|
| 13 |
|
| 14 |
Is an SSL key stored on a smartcard better than a TOTP password? They |
| 15 |
seem roughly equivalent to me. I don't think either would restrict |
| 16 |
access by device. |
| 17 |
|
| 18 |
- Grant |
Archives