> Automatic certificate selection doesn't work then, as no realm concept as in baseauth exists. That's not true. If a server requests a client certificate, it has to send a list of "acceptable" CAs. The client is supposed to use a cert that is signed by one of those. If you plan your environment carefully automatic selection can work (except for IE which apparently is too dumb to heed the acceptable CA list and always shows all certificates to to the user). I agree with most of your other points. Setting up proper authentification via client certificates is a complicated mess.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds