[cryptography] Client TLS Certificates - why not?

StealthMonger StealthMonger at nym.mixmin.net
Mon Mar 4 12:10:08 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Gutmann <pgut001 at cs.auckland.ac.nz> writes:

> <strife at riseup.net> writes:

>>Can anyone enlighten me why client TLS certificates are used so
>>rarely?  It used to be a hassle in the past

> They're still a huge pain to work with, and probably always will be.
> If you don't believe me, go to your mother, sit her in front of a
> computer, sit behind her with your arms crossed so you can't point
> to anything or type stuff out for her, and walk her through the
> process of acquiring and using one without leaving your chair or
> performing any part of the operation for her.

> Now imagine getting her to do the same using only a sheet of
> instructions you've written.

Mother sits down at her computer to do email.  Computer notices that
she does not have an encryption key (client-side certificate), starts
a background process to generate one, and tells her:

   From now on, you will have a new email address.  Starting next
   week, the old one will no longer work.

   This will be the only computer on which you can receive email.  If
   you ever want to use another computer, press "Add/Change Computer"
   below.

   [Computer finishes generating key with key ID xlzoazsabewlcc.]

   Your new email address is "xlzoazsabewlcc".  It is now being
   broadcast worldwide.  Tell your bank and all your friends.

   This computer is the only computer in the world that can receive
   messages to this new address.  You should probably make a backup.
   Press "Make Backup" below.

   Anyone else who can log into this computer has access to all your
   bank accounts and email.  Make sure your login password is strong.

Simple as that.  (Well, almost.)  Admittedly, this is oriented to
email, not browsing.  But the browser can be told to look for the same
key ring for certificate material.

- -- 


 -- StealthMonger <StealthMonger at nym.mixmin.net>
    Long, random latency is part of the price of Internet anonymity.

   anonget: Is this anonymous browsing, or what?
   http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain

   stealthmail: Hide whether you're doing email, or when, or with whom.
   mailto:stealthsuite at nym.mixmin.net?subject=send%20index.html


Key: mailto:stealthsuite at nym.mixmin.net?subject=send%20stealthmonger-key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.9 <http://mailcrypt.sourceforge.net/>

iEYEARECAAYFAlE0lwoACgkQDkU5rhlDCl4R9gCfVOs1ynBZUqmE8TGDH9HjSvt6
nhQAn3vZpOK91H+exiJf3gyoRR4OF28r
=NeCP
-----END PGP SIGNATURE-----




More information about the cryptography mailing list