[cryptography] Client TLS Certificates - why not?

Jeffrey Walton noloader at gmail.com
Tue Mar 5 13:56:33 EST 2013

On Tue, Mar 5, 2013 at 1:41 PM, StealthMonger
<StealthMonger at nym.mixmin.net> wrote:
> Hash: SHA1
> Jeffrey Walton <noloader at gmail.com> writes:
>> Its the key distribution problem. Its the cause of all the troubles.
> I don't understand.  Please explain.
> What's wrong with the following simple idea:
> 1. p2p: The parties opportunistically verify out-of-band after
> exchanging keys via public key servers or (insecure) email.
That's basically SneakerNet. You moved the problem around. If you met
and exchange keys, you wouldn't need to make the phone call. Do it at
the pub over drink.

The problems are (1) It is often not practiced and (2) it surely does
not scale. When is the last time you called a business and asked them
to verify their certificate thumbprint before entering your credit

You also have the problem of explaining it to your grandmom.


More information about the cryptography mailing list