Implement Client Certificate with allowed URLs

Some countries (like Spain) allow the use of software client certificates. We have cryptographic hardware in our national identity card (DNIe) with an electronic identity like other countries, but we can also use certificates issued by an organization called FNMT to identify ourselves in official institutions. It’s quite practical since no username/password is allowed in many webs for security reasons and there is no need to connect our cards to the computer. Besides some services still only work using this “software” certificates.

Client certificates are also used in some businesses to identify employees. Even some Certification Authorities issue client certificates for signing emails (but not exclusively because they can also be used to identify against a web portal that has access to OCSP server for certificate revocation).

I think that it should be simple to implement since (I think) the webauthn is “similar”. I would suggest, since these certificates are not web specific, using some kind of allowed URL list. I would show them in the plugin the same way a “card” is (visible on all webs) and I would ask an additional password to keep the certificate’s private key protected.

This would allow moving securely the certificate among browsers, computers and phones.

I also have my certificate in my yubikey, however, the yubikey installs the public certificate with my whole name and ID number on the windows computer and that part I am not able to make it work in GNU/Linux.

Example of web: https://dehu.redsara.es/ (it uses: https://pasarela.clave.gob.es/ used in almost every web of the country since it’s an european standard: eIDAS)

Another keywords to this idea: identification by client side certificate, mutual identification.