Drew DeVault

A thought experiment exploring why client-side TLS certificates never became a mainstream alternative to OAuth for API authentication. The author sketches a hypothetical protocol where API clients register a CA with a service provider, generate per-user certificates during an authorization flow, and use those certificates to authenticate requests. Proposed advantages include strong cryptographic guarantees, stateless tokens, easy revocation via CA untrust, no weird state tokens, and built-in metadata and expiration. The author acknowledges the idea may have obvious blind spots and invites discussion on why client-side certificates remain underused despite their apparent benefits.

Can we talk about client-side certificates?