[cryptography] Client certificate crypto with a twist

Ryan Hurst ryan.hurst at globalsign.com
Wed Oct 10 11:59:28 EDT 2012


Have folks looked at http://www.mozilla.org/persona/

It's essentially JSON certificates for client authentication.

Implementing this at the application layer allows them to have a better user experience as well as better client compatibility.

Sent from my iPhone

On Oct 10, 2012, at 8:54 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:

> 
> On Oct 10, 2012, at 9:09 AM, Ben Laurie <ben at links.org> wrote:
> 
>> On Wed, Oct 10, 2012 at 1:44 PM, Guido Witmond <guido at wtmnd.nl> wrote:
>>> Hello Everyone,
>>> 
>>> I'm proposing to revitalise an old idea. With a twist.
>>> 
>>> The TL;DR:
>>> 
>>> 1. Ditch password based authentication over the net;
>>> 
>>> 2. Use SSL client certificates instead;
>>> 
>>> Here comes the twist:
>>> 
>>> 3. Don't use the few hundred global certificate authorities to sign
>>>  the client certificates. These CA's require extensive identity
>>>  validations before signing a certificate. These certificates are
>>>  only useful when the real identity is needed.
>>>  Currently, passwords provide better privacy but lousy security;
>>> 
>>> 4. Instead: install a CA-signer at every website that signs
>>>  certificates that are only valid for that site. Validation
>>>  requirement before signing: CN must be unique.
>> 
>> http://tools.ietf.org/html/draft-balfanz-tls-obc-01
> 
> Sorry, I hit accidentally hit "Send".
> 
> The issue with any sort of client-side certs is private key availability,
> and in particular moving it from client machine to client machine.  (I
> personally use about 4 different computers and three phones/tablets.  I
> need a secure, privacy-preserving mechanism to synchronize my key store.)
> 
> 
>        --Steve Bellovin, https://www.cs.columbia.edu/~smb
> 
> 
> 
> 
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20121010/18f85212/attachment.html>


More information about the cryptography mailing list