[cryptography] Client TLS Certificates - why not?

Jeffrey Walton noloader at gmail.com
Tue Mar 5 13:56:33 EST 2013


On Tue, Mar 5, 2013 at 1:41 PM, StealthMonger
<StealthMonger at nym.mixmin.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeffrey Walton <noloader at gmail.com> writes:
>
>> Its the key distribution problem. Its the cause of all the troubles.
>
> I don't understand.  Please explain.
>
> What's wrong with the following simple idea:
>
> 1. p2p: The parties opportunistically verify out-of-band after
> exchanging keys via public key servers or (insecure) email.
That's basically SneakerNet. You moved the problem around. If you met
and exchange keys, you wouldn't need to make the phone call. Do it at
the pub over drink.

The problems are (1) It is often not practiced and (2) it surely does
not scale. When is the last time you called a business and asked them
to verify their certificate thumbprint before entering your credit
card?

You also have the problem of explaining it to your grandmom.

Jeff



More information about the cryptography mailing list