[cryptography] Client certificate crypto with a twist

ianG iang at iang.org
Fri Oct 12 03:23:47 EDT 2012

On 10/10/12 23:44 PM, Guido Witmond wrote:

> 2. Use SSL client certificates instead;

Yes, it works.  My observations/evidence suggests it works far better 
than passwords because it cuts out the disaster known as "I lost my 

It is what we do over at CAcert, which co-incidentally succeeded because 
we forced all the Assurers to add client certs to their browsers. Once 
they had them, we had enough of a user base to make it worthwhile, the 
chicken & egg problem was solved, and everything else followed.

It's worth noting that you don't need to use a CA at all; the acceptance 
of the cert is done in the server side, and unlike browsers, it does not 
enforce the use of a CA.  Literally it doesn't enforce anything, nor 
accept anything;  part of the job is to add the code and/or 
configuration to accept your preferred certs.  Beyond scope how to do 
it, it is typically messt...

The downside of certs on multiple platforms is noted, but one needs to 
be aware that the people with multiple devices are typically the 
developers, not the users.  In my time with CAcert I've never heard 
anyone grumble that certificate sign-on is no good because of the 
platform problem, they just get on and install the certs...


More information about the cryptography mailing list