[cryptography] Client certificate crypto with a twist

Ben Laurie ben at links.org
Wed Oct 10 09:09:41 EDT 2012


On Wed, Oct 10, 2012 at 1:44 PM, Guido Witmond <guido at wtmnd.nl> wrote:
> Hello Everyone,
>
> I'm proposing to revitalise an old idea. With a twist.
>
> The TL;DR:
>
> 1. Ditch password based authentication over the net;
>
> 2. Use SSL client certificates instead;
>
> Here comes the twist:
>
> 3. Don't use the few hundred global certificate authorities to sign
>    the client certificates. These CA's require extensive identity
>    validations before signing a certificate. These certificates are
>    only useful when the real identity is needed.
>    Currently, passwords provide better privacy but lousy security;
>
> 4. Instead: install a CA-signer at every website that signs
>    certificates that are only valid for that site. Validation
>    requirement before signing: CN must be unique.

http://tools.ietf.org/html/draft-balfanz-tls-obc-01



More information about the cryptography mailing list