[cryptography] Client TLS Certificates - why not?

Jeffrey Walton noloader at gmail.com
Tue Mar 5 10:18:56 EST 2013


On Tue, Mar 5, 2013 at 9:18 AM, Martin Paljak <martin at martinpaljak.net> wrote:
> On Tue, Mar 5, 2013 at 2:08 PM, ianG <iang at iang.org> wrote:
>> This whole argument that certs aren't portable across devices is something
>> of a strawman.  Companies deploy SSL certs across accelerators all the time,
>> so why not client certs?  The reason is the assumptions that are designed to
>> stop you doing that.  Get rid of those assumptions, and client certs work.
>
> Because:
>  - Distributing (encryption) keys securely is not that easy to
> accomplish
That's Patient 0. Its the key distribution problem. Its the cause of
all the troubles.

Web of Trust, Hierarchy of Trust, DNSSEC/DANE, Sovereign Keys,
Convergence, {Certificate|Public Key} Pinning, Key Continuity, etc are
all band-aides for the first patient.

Jeff



More information about the cryptography mailing list