[cryptography] Client certificate crypto with a twist

Jonathan Katz jkatz at cs.umd.edu
Wed Oct 10 09:52:35 EDT 2012

On Wed, 10 Oct 2012, Guido Witmond wrote:

> Hello Everyone,
> I'm proposing to revitalise an old idea. With a twist.
> The TL;DR:
> 1. Ditch password based authentication over the net;
> 2. Use SSL client certificates instead;
> Here comes the twist:
> 3. Don't use the few hundred global certificate authorities to sign
>   the client certificates. These CA's require extensive identity
>   validations before signing a certificate. These certificates are
>   only useful when the real identity is needed.
>   Currently, passwords provide better privacy but lousy security;
> 4. Instead: install a CA-signer at every website that signs
>   certificates that are only valid for that site. Validation
>   requirement before signing: CN must be unique.

Looking at this just from the point of view of client-server 
authentication, how is this any better than having the website generate a 
cryptographically strong "password" at sign-up time, and then having the 
client store it in the password cache of their browser?

Note that both solutions suffer from the same drawback: it becomes more 
difficult for a user to log on from different computers.

More information about the cryptography mailing list