Ask HN: Were SSH keys ever considered for browser authentication?

2 points by politician ↗ HN
Was support for authenticating to websites using SSH keys ever considered by any of the standards bodies or browser vendors (esp. Firefox)? If so, is there any documentation or historical record of why support was never implemented?

6 comments

[ 4.0 ms ] story [ 25.1 ms ] thread
Where would these keys be stored? In some browser-internal keystore? Or on your machine outside of the browser?
$HOME/.ssh, alongside all of our other keys.
That's not part of any standard or spec, though. It's just where one implementation of SSH stores the keys. gpg-agent (which handles ssh keys when behaving as an SSH agent) stores them elsewhere. I imagine Putty and Filezilla do, too.

It's possible that the storage format of the keys is not standard either, because I think I remember it being different between OpenSSH and Putty.

Browsers already support certificate based authentication equivalent to SSH key based authentication. In practice, it is difficult to prevent (and impossible to detect) an unauthorized user from misusing the authentication either by stealing the browser certificate or simply using an unattended browser window for unauthorized access.

https://www.ssl.com/how-to/configuring-client-authentication...

https://medium.com/@sevcsik/authentication-using-https-clien...

And, if you click the links above, it is very cumbersome to set up.

I'm familiar with TLS client certificates and how cumbersome they are. It's a shame because command-line ssh is so simple.