After reading the spec (see my notes here), and a conversation with people in the security industry, a question came up to mind (in context) and I thought i’d create a separate thread from the announcement.
We could have a
CertificateExchangeCredential type from which the browser could manage its locally stored certificates. A user could have many web browsers with their own certificates.
A way to go might be that we can send a list of "acceptable" public certificates only once the user is already signed in.
Next sign-on process would only be to make a handshake with one of his previously generated private certificates. Provided the user previously did whitelist his certificates from his current browser last time he was authenticated.
Benefits from this is that a user could control the number of certificates he has, use it on more than one site, and use the browser itself to manage them.
It this out of scope? Has this been suggested?
PS I might be wrong and I know its close to WebID. But I still have doubts it had been implemented like this yet.