[SSL Observatory] offtopic: sites with client certificate authentication

[Peter Gutmann]

Erwann Abalea <eabalea at gmail.com> writes:

>The problems are more technical, and not balanced by a real benefit.

Interesting.  I've run into something like this in another online tax-filing 
case where there was debate over enforced password changes (conclusion: no, 
because with once-a-year use the user will be forced to change it every single 
time they file a return) and how to auth users (no-one will remember a 
once-a-year password).  The solution that was used was to print an 
authenticator on the tax notice that was sent out, sort of like a TAN, and use 
that to authenticate the return.

(An additional consideration for NZ is that many/most(?) people never file a 
tax return, tax is deducted automatically from wages by the employer and all 
you get is a summary of earnings, so this considerably reduces the potential 
load on any online filing system, what's left are mostly businesses and 
special-case earners).

Peter.