[cryptography] Client certs

Kevin W. Wall kevin.w.wall at gmail.com
Tue Sep 27 21:56:13 EDT 2011

On Tue, Sep 27, 2011 at 10:17 AM, M.R. <makrober at gmail.com> wrote:
> On 25/09/11 21:52, ianG wrote:
>> ... Any client cert is better than the current best saved
>> password situation, because the technical security of a
>> public key pair always exceeds a password...
> Client certs are not a practical solution for retail and other
> low security applications: they require that the end user uses
> either one and only one computer, or that they are burdened
> with transferring certificates between all the computers that
> are being used by one customer to access to site and transact
> the business.

Regardless of trying to get a solution to work on multiple computers,
I think that the bigger problem would be just getting regular users
used to using the correct client cert. I don't know about the rest of
you, but I wouldn't want the client cert that I use for (say) Gmail
that I might use for my bank or 401(k) site.

We have had trouble explaining these things to IT folks, so
I'm not sure someone without that IT background would ever
get this.

Plus if we starting getting sites like the New York Times and
all the other places where we shouldn't really (IMO) require
authentication in the first place using client certs for
authN, malware writers would just start writing software
that steals your cert and private key. (And don't try to
tell me that regular users will secure their private key with
a pass phrase. That will rarely, if ever, happen, and even if
it did, a keystroke longer in the malware would take care of

Bottom line is that client certs are good for authN in many
different cases, but they are not a panacea.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list