I think the purpose of the certificate is so the user can be confident of the application they are sending data to is who they think it is.
Secondly, providing basic (or form based authentication) with SSL means the user password is encrypted. This means it is harder for hacker to pretend to be the user.
But a hacker could still pretend to be the application unless there is a certificate.
Marco Ehrentreich wrote:
Certificate based authentication uses asymmetric crypthography to establish a symmetric key for the actual encryption (this is the transport guarantee) during handshakes between client and server. Additionally X.509 certs allwo to proof the identity of the server and client (the authentication part). In this way certs are more secure because there are simply no passwords involved together with all the disadvantages of passwords as I said above. The single biggest disadvantage in this case is surely the client certificate. Firstly you have to distribute the client side certifcates in a secure way to your client as they are basically the key to your whole system.
Once they are on the client you have to take care that the certificate files stay secure and can't be misused by others by stealing the authenticity of another person via its certificate.
Marco Ehrentreich wrote:Hi James,
For the distribution of a client certificate what I really had in mind (and should have written) is that you would have to take care for generating and distributing client side keys and certificates if your users aren't capable of doing this themselves. I guess it's too complicated for the average user to generate a private key and CSR, send the CSR to the CA, receive the certificate, know where to put it and take care for the security of the private key on his machine. That's surely the most important reason that client side certificates are not that widely used (at least not to my knowledge).
If you don't want your users to take care of this whole thing you probably will have to generate keys/certificates for them and take care that it somehow ends up on the client machines. crypthography.
To be secure the private key should only ever be available to the client! I say again - to be secure the private key should only ever be available to the client!