[cryptography] Client certs

M.R. makrober at gmail.com
Tue Sep 27 10:17:04 EDT 2011

On 25/09/11 21:52, ianG wrote:
> ... Any client cert is better than the current best saved
> password situation, because the technical security of a
> public key pair always exceeds a password...

Client certs are not a practical solution for retail and other
low security applications: they require that the end user uses
either one and only one computer, or that they are burdened
with transferring certificates between all the computers that
are being used by one customer to access to site and transact
the business.

I have noticed that "crypto experts" keep pushing this "use-only-
a-single-trusted-computer" M.O. on the end users, while site
operators (retail especially) understand it is utterly unrealistic
and insist on passwords since these can be used on any computer
their customer happens to be at.

Mark R.

More information about the cryptography mailing list