> >The server can advertise the EXTERNAL mechanism (using the plaintext
> >authenticator) iff it has succesfully verified a client certificate.
>
> wow, you *are* strict! You verify a client certificate *and* require
> authentication. Or perhaps you did not mean client certificate?
That is not particularly strict. For anything close to "high"
security, I'd see that as necessary.
If your laptop (with installed client-cert) gets stolen at the
Airport, the thief has access all the services until your I.T. department
revokes that cert. (Or if someone breaks into your office, etc.)
You should at least require a memorized password in addition to
the client cert. But passwords are easily caught; a handicam with a big
zoom lens does the trick. Bigger companies usually require a SecurID
token or biometric (i.e. handprint). For a cool toy see
http://www.thinkgeek.com/gadgets/security/5a6c/.
--Derek