> So you don't want a client-side certificate that includes your name; that's a huge privacy leak.
If it matches the username I have on a website like reddit or HN, then is it really a privacy issue? Anyone, regardless of whether they're logged in or not, can see posts I've made under my username. Though what you say can be an issue for websites where privacy from other users is expected (e.g. banks).
> Today, Web Authentication effectively does something effectively equivalent, as does U2F
Both of those seem to rely on HTTP, while TLS could work with any application level protocol.
They can't see that the posts are coming from your IP address, though. That's one of the things TLS protects—I can post from a coffee shop and nobody at the coffee shop can know (except perhaps by traffic analysis) that the person at the table next to them is the person with this username.
If it matches the username I have on a website like reddit or HN, then is it really a privacy issue? Anyone, regardless of whether they're logged in or not, can see posts I've made under my username. Though what you say can be an issue for websites where privacy from other users is expected (e.g. banks).
> Today, Web Authentication effectively does something effectively equivalent, as does U2F
Both of those seem to rely on HTTP, while TLS could work with any application level protocol.