[cryptography] Client certificate crypto with a twist
iang at iang.org
Fri Oct 12 03:23:47 EDT 2012
On 10/10/12 23:44 PM, Guido Witmond wrote:
> 2. Use SSL client certificates instead;
Yes, it works. My observations/evidence suggests it works far better
than passwords because it cuts out the disaster known as "I lost my
It is what we do over at CAcert, which co-incidentally succeeded because
we forced all the Assurers to add client certs to their browsers. Once
they had them, we had enough of a user base to make it worthwhile, the
chicken & egg problem was solved, and everything else followed.
It's worth noting that you don't need to use a CA at all; the acceptance
of the cert is done in the server side, and unlike browsers, it does not
enforce the use of a CA. Literally it doesn't enforce anything, nor
accept anything; part of the job is to add the code and/or
configuration to accept your preferred certs. Beyond scope how to do
it, it is typically messt...
The downside of certs on multiple platforms is noted, but one needs to
be aware that the people with multiple devices are typically the
developers, not the users. In my time with CAcert I've never heard
anyone grumble that certificate sign-on is no good because of the
platform problem, they just get on and install the certs...
More information about the cryptography