Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We integrated with a government service. It uses a government supplied authentication service[1] for machine-to-machine communication, based on OpenID IIRC (OAuth2++).

For this, our customers need a EV certificate. Most of our customers are small, and don't have their own IT. It's a mess, most don't understand what it is, don't understand the difference between the two or three certificate files they get, a lot can't even figure out how to extract the files (inside a password protected pdf of all things), password? What password? ...

And then of course the certificates expires. Just like that. Poof. And the person who ordered them last time has moved on to a new job, and so we're back to scratch.

We spend so... much... time... on hand holding this for our customers. Didn't take us long to figure out we need to remind them about certificate expiry, but the rest is just such a PITA.

Technically it's a pretty nice solution, but boy it is not made for normal people.

[1]: https://www.digdir.no/digitale-felleslosninger/maskinporten/...



> machine-to-machine communication

> EV certificate

> or three certificate files

So an EV certificate for machine to machine communication where self managed PKI would be better due to having a single CA that could “know the customer” and possibly sending the private key in a password protected PDF?

Did I misread that? Technically is sounds terrible.


I was tired, I think I might have said the wrong thing. They call it a "business certificate" or "enterprise certificate", and for a moment I thought that was EV.

https://www.commfides.com/en/commfides-virksomhetssertifikat...

There's one other they (the gov't auth provider) accepts as CA for this, though they claim others will follow.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: